VPN (Linux)

Information about using the AnyConnect VPN under Linux.

Cisco AnyConnect Client

The Cisco AnyConnect client for Linux that you can download from

https://vpn.mpcdf.mpg.de

will generally work well under most Linux distributions and is what we recommend using.

More information about system requirements and known issues is available in the release notes:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/release/notes/b_Release_Notes_AnyConnect_4_7.html

Certificate error

The Cisco AnyConnect client uses the Mozilla Firefox certificate store to verify the server certificate.
If you do not have Firefox installed or the profile (~/.mozilla/firefox/…) is for some reason inaccessible to AnyConnect, you will get a certificate error when you try to connect.

To work around that, either install Mozilla Firefox and launch it at least once so that the profile gets created or manually download the CA certificate and place it under /opt/.cisco/certificates/ca and restart the VPN agent*:*

sudo wget https://www.pki.dfn.de/fileadmin/PKI/zertifikate/T-TeleSec_GlobalRoot_Class_2.pem -O /opt/.cisco/certificates/ca/T-TeleSec_GlobalRoot_Class_2.pem
sudo systemctl restart vpnagentd

Logfiles

AnyConnect writes troubleshooting information to the system log:

sudo journalctl | grep acvpn

They might be able to help you resolve further problems by yourself and are also useful if you need to open a ticket in our helpdesk.

Alternative OpenConnect client

If the Cisco AnyConnect client is not working for you for some reason or you just prefer not to install third-party software, the OpenConnect client is included in most recent distributions. While not officially supported, it has proven to work quite well: https://www.infradead.org/openconnect/packages.html

Usually you will have to install two packages, OpenConnect itself and the NetworkManager integration. For example:

# OpenSUSE
zypper install openconnect NetworkManager-openconnect

# Ubuntu
apt install openconnect network-manager-openconnect

Two-Factor Authantication (2FA)

If your account requires two-factor authentication (2FA), OpenConnect / NetworkManager will display two password fields. Enter your normal password in the first field and the one-time code (OTP) into the second one:

../../../_images/Screenshot_20200924_090012.png