VPN: CISCO AnyConnect fails on Manjaro KDE

Hi there,

I can’t get VPN to work on my Manjaro KDE install. More specifically I can’t get CISCO AnyConnect to work.

I installed CISCO AnyConnect from AUR. There are some issues with the install. From the AUR comments it is clear that other Majaro users have run into problems as well.

Firstly the GUI doesn’t work; meaning that the GUI is launching, but it’s all grey and not responsive. However, by running vpnagentd the GUI starts correctly:

/opt/cisco/anyconnect/bin/vpnagentd

Only then can vpnui be launched. However, I get the following error when trying to connect to the university where I’m employed:

Automatic profile updates are disabled and the local VPN profile does not match the secure gateway VPN profile.

This also happens if I run the commands as sudo.

Strangely it works with Linux Manjaro Cinnamon. I have tried CISCO AnyConnect on two different laptops running Linux Manjaro KDE, and it fails. While it runs just fine on my laptop running Linux Manjaro Cinnamon, and here I don’t need to first start vpnagentd, and for that reason I decided to post here.

Anyone have an idea on how to fix this?

With kind regards
Morten

Do you really need this proprietary client?

I’m using openconnect to connect to a company’s cisco vpn.

1 Like

I’m not able to make openconnect work. If I could that would be great!

It isn’t officially supported by the university I work for. However, it should work by using the following command.

sudo openconnect vpn_address --csd-wrapper /path/to/csd-wrapper.sh

With this csd-wrapper:

#!/bin/sh
#set -x

platform_version="x86x64"
device_type="Linux-x86"
device_uniqueid="AAAAAAA"

# delete the csdXXXXXX temp files so they don't start piling up
rm -f $1

exec curl \
--globoff \
--insecure \
--user-agent "AnyConnect Linux" \
--header "X-Transcend-Version: 1" \
--header "X-Aggregate-Auth: 1" \
--header "X-AnyConnect-Identifier-Platform: linux" \
--header "X-AnyConnect-Identifier-PlatformVersion: $platform_version" \
--header "X-AnyConnect-Identifier-DeviceType: $device_type" \
--header "X-AnyConnect-Identifier-Device-UniqueID: $uniqueid" \
--cookie "sdesktop=$CSD_TOKEN" \
--data-ascii @- "https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml" <<END
endpoint.feature="failure";
endpoint.os.version="Linux";
END

Running sudo openconnect vpn_address --csd-wrapper /path/to/csd-wrapper.sh gives the following output:

POST vpn_address
Connected to IP_address
SSL negotiation with vpn_address
Connected to HTTPS on vpn_address with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Trying to run CSD Trojan script ‘…/csd-wrapper.sh’.
curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled
CSD script ‘…/csd-wrapper.sh’ returned non-zero status: 35
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.
GET vpn_address/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second…
GET vpn_address/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn_address
Connected to HTTPS on vpn_address with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second…
GET vpn_address/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn_address

Any ideas?

I’m sorry, it works for me without any csd wrapper. I’m sorry I can’t be of more help.

Sometimes there are nice people working in University IT, could you ask them if they know a solution?

1 Like

That’s alright. I still appreciate the suggestions.

There are nice people working at the IT department. However, they were not able to help. They probably don’t put much effort into this as Linux isn’t supported, and this is only an issue when I’m working from home.

I feel you. “What is this Linux you’re speaking of?”