Update: I've created scripts to automate much of this process. You can find them on GitHub.
I often need to connect to a VPN with a Cisco ASA box at the head-end, using a DoD CAC (smart card) for authentication.
On Windows, this is often accomplished using Cisco's AnyConnect VPN client software. On Linux however, that option would never work for me. I tried to download it from the VPN https site, but it wouldn't load.
On Linux, we have an open-source alternative, called openconnect. The difficult part is getting it to use our smart card, and present the correct certificate to the VPN.
I found the following pages very useful in trying to get this all to work:
openconnect uses p11-kit to interact with PKCS #11 modules. (PKCS #11 is the standard for interfacing with cryptographic tokens, like smart cards.) The first thing we need to do is tell p11-kit to use the libcoolkey pkcs11 module. Do this by creating a new file named /etc/pkcs11/modules/libcoolkey.module
, and adding the following line to it:
module:/usr/lib64/pkcs11/libcoolkeypk11.so
Next, we'll use p11tool --list-tokens
to list all of the tokens on our system. You should see your smart card in this list. Mine showed up like this (along with others):
$ p11tool --list-tokens
...
Token 6:
URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxxxx
Label: REINHART.JONATHON.RICHARD.xxxxxxxx
Manufacturer:
Model:
Serial:
Now, we want to look at all of the certificates available on our smart card. We'll use p11tool --list-all-certs [url]
, where [url]
is the URL of our smart card token from the previous step:
$ p11tool --list-all-certs pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxx
Object 0:
URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%01;object=CAC%20ID%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC ID Certificate
ID: 00:01
Object 1:
URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC Email Signature Certificate
ID: 00:02
Object 2:
URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC Email Encryption Certificate
ID: 00:03
So we can see the three certificates available on our smart card.
The Windows AnyConnect software will pop-up a dialog asking you to select the certificate for authentication when the server asks for a client certificate. openconnect currently has no such functionality, so we need to explicitly tell openconnect which certificate to use. In my case, I already knew it was the certificate with ID: 00:02
, the "CAC Email Signature Certificate". So I pass the -c option, with the minimal URL to unambiguously refer to that certificate:
$ sudo openconnect -c 'pkcs11:token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02' vpn.example.com
Note that I had to use sudo
because openconnect will invoke some scripts to set up the tun device and routing.
At this point, openconnect should ask for your PIN, and then successfully connect to the VPN! If not, you may need to try the other certificates, by changing the id= part of the certificate URL.
Finally, there are still a few outstanding warnings that occur during this process:
Certificate from VPN server "vpn.example.com" failed verification. Reason: signer not found
- I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.
Note: I've had to install various packages and make various changes in playing with my smart card, so if something isn't working for you, or I've skipped a step, please leave a comment so I can make this post more accurate. Thanks!
Update: Additional steps - I'll work these in above at some point:
yum install coolkey
service pcscd start
(on Fedora 21)