Saturday, January 24, 2015

Connecting to a Cisco ASA VPN with DoD CAC on CentOS 7

Update: I've created scripts to automate much of this process. You can find them on GitHub.


I often need to connect to a VPN with a Cisco ASA box at the head-end, using a DoD CAC (smart card) for authentication.

On Windows, this is often accomplished using Cisco's AnyConnect VPN client software. On Linux however, that option would never work for me. I tried to download it from the VPN https site, but it wouldn't load.

On Linux, we have an open-source alternative, called openconnect. The difficult part is getting it to use our smart card, and present the correct certificate to the VPN.

I found the following pages very useful in trying to get this all to work:

openconnect uses p11-kit to interact with PKCS #11 modules. (PKCS #11 is the standard for interfacing with cryptographic tokens, like smart cards.) The first thing we need to do is tell p11-kit to use the libcoolkey pkcs11 module. Do this by creating a new file named /etc/pkcs11/modules/libcoolkey.module, and adding the following line to it:

module:/usr/lib64/pkcs11/libcoolkeypk11.so

Next, we'll use p11tool --list-tokens to list all of the tokens on our system. You should see your smart card in this list. Mine showed up like this (along with others):

$ p11tool --list-tokens
...
Token 6:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxxxx
 Label: REINHART.JONATHON.RICHARD.xxxxxxxx
 Manufacturer: 
 Model: 
 Serial:

Now, we want to look at all of the certificates available on our smart card. We'll use p11tool --list-all-certs [url], where [url] is the URL of our smart card token from the previous step:

$ p11tool --list-all-certs pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxx
Object 0:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%01;object=CAC%20ID%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC ID Certificate
 ID: 00:01

Object 1:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC Email Signature Certificate
 ID: 00:02

Object 2:
 URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
 Type: X.509 Certificate
 Label: CAC Email Encryption Certificate
 ID: 00:03
So we can see the three certificates available on our smart card.

The Windows AnyConnect software will pop-up a dialog asking you to select the certificate for authentication when the server asks for a client certificate. openconnect currently has no such functionality, so we need to explicitly tell openconnect which certificate to use. In my case, I already knew it was the certificate with ID: 00:02, the "CAC Email Signature Certificate". So I pass the -c option, with the minimal URL to unambiguously refer to that certificate:

$ sudo openconnect -c 'pkcs11:token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02' vpn.example.com

Note that I had to use sudo because openconnect will invoke some scripts to set up the tun device and routing.

At this point, openconnect should ask for your PIN, and then successfully connect to the VPN! If not, you may need to try the other certificates, by changing the id= part of the certificate URL.

Finally, there are still a few outstanding warnings that occur during this process:

  • Certificate from VPN server "vpn.example.com" failed verification. Reason: signer not found - I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.

Note: I've had to install various packages and make various changes in playing with my smart card, so if something isn't working for you, or I've skipped a step, please leave a comment so I can make this post more accurate. Thanks!

Update: Additional steps - I'll work these in above at some point:

  • yum install coolkey
  • service pcscd start (on Fedora 21)