Back to Home

HowTo: Connecting to a Cisco VPN Using Aladdin eToken on Linux (Ubuntu)

More recently · I decided to transfer my home computer from Windows to Linux. That is · such an idea has been wandering for some time · fueled by news from the fronts of the struggle against voluntary-compulsory ...

HowTo: Connecting to a Cisco VPN Using Aladdin eToken on Linux (Ubuntu)

More recently, I decided to transfer my home computer from Windows to Linux. That is, such an idea has been wandering for some time, fueled by news from the fronts of the struggle against the voluntary-forced installation of Windows 10 and thoughts about the inevitable obsolescence of the "seven" after XP, but the reason for starting the business was the release of the next Ubuntu LTS release. In this case, I will call the main motive for such a transition a simple curiosity: a home computer is used mainly for entertainment, but acquaintance with the new OS is more fun than others. Moreover, entertainment, it seems to me, is useful in terms of broadening one's horizons. The distribution from Canonical was simply chosen as the most popular: I think this is of great help when I first get acquainted with the system.

Pretty quickly I was convinced from my own experience that Ubuntu is quite suitable for cats and movies. But, since the computer is also used for remote work, a configured connection to the Cisco VPN with eToken authorization was not enough to refuse Windows.

Program set


It was clear that at least a token driver and some VPN client would be needed to connect. As a result of searches on the net, we have the following list:

  1. OpenConnect is a “completely random” VPN client compatible with Cisco AnyConnect servers
  2. GnuTLS is a free implementation of the TLS and SSL protocols. What is important, this library includes p11tool utility for working with smart cards
  3. SafeNet Authentication Client - a set of drivers and additional utilities for working with eToken electronic keys

Since an OpenConnect connection requires a client certificate URL, which can be found using the p11tool utility, and both programs require a driver for working with a smart card, we’ll start by installing this driver.

Installing the eToken Client


As reasonably noted in the article about setting up eToken in Ubuntu 12.04, the link to the SafeNet Authentication Client is almost secret. But at the same time, on the Internet, there was a more recent note about similar dances with a tambourine as early as 14.04, and with a live link to the distribution somewhere in the SafeNet Brazilian branch. What is even more interesting, on the same server there is a file with the current version of the client - 9.1, which, hooray, does not require outdated libraries. The correct way to get a client is, of course, contact your key supplier.

Currently, the SafenetAuthenticationClient-9.1.7-0_amd64.deb package (or the SafenetAuthenticationClient-9.1.7-0_i386.deb package for 32-bit systems) is elementarily put by double-clicking on it in the file manager. But during the beginning of work on this material, a bug in Ubuntu Software was not fixed , because of which the installation of third-party packages did not work. Therefore was written

instructions for downloading and installing the client through the console
wget --user-agent="Mozilla" http://www.proteq.com.br/download/sac/sac9.1_linux.zip # без user-agent сервер файл не отдает
unzip sac9.1_linux.zip -d sac # в отдельную папку, чтобы помойку не разводить
mkdir sacmnt # создаем папку, куда будем монтировать iso
sudo mount -o loop sac/SAC_9_1_Linux.iso sacmnt
# sudo - выполнить с правами суперпользователя# mount -o loop монтирует файл как блочное устройство
sudo dpkg -i sacmnt/Installation/Standard/DEB/SafenetAuthenticationClient-9.1.7-0_amd64.deb # собственно установка
sudo apt install --fix-broken # устанавливаем недостающие пакеты#прибираемся
sudo umount ./sacmnt # размонтировать
rm -d sacmnt # удалить пустую папку
rm -r sac # папка непустая, поэтому рекурсивно


Upon successful installation, the SafeNet Authentication Client Tools application appears in the Applications menu.

Install and configure GnuTLS


The first of the mentioned articles was very useful to me as a whole, but for one line I am especially grateful to the author. Here she is:
pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

The fact is that at a certain moment I was completely stuck, not understanding why the token from the native client is visible, but not through p11tool. And it was from here that I realized where the driver itself lies. Knowing the path to the driver, install and configure GnuTLS according to the instructions .

sudo apt install gnutls-bin
sudo mkdir /etc/pkcs11
sudo mkdir /etc/pkcs11/modules
echo'module: /usr/lib/libeTPkcs11.so' > eToken.module # записали путь к драйверу в файл eToken.module
sudo mv eToken.module /etc/pkcs11/modules # перенесли файл в папку, где его найдет GnuTLS

Now any application using GnuTLS will be able to work with the token. And we can use the p11tool utility to find out the URL of our certificate.

Reading Token Data


You can list the certificates available in the token with the following command:

p11tool --login --list-certs 'pkcs11:model=eToken'

The output of p11tool looks something like this:

Object 0:
URL: pkcs11: model = eToken; manufacturer = SafeNet% 2c% 20Inc.; Serial = 99999999; token = Username; id =% XX% XX; object =% 7bXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX% 7d; type = cert
Type: X.509 Certificate
Label: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
ID: XX: XX
Object 1: ...

There can be several certificates, and one specific one is required for connection. The instructions for p11tool from OpenConnect in such a situation to try to offer everyone. To compare the certificate with its URL, I made a small script that displays both the URL and the text data of each certificate:

sudo apt install openssl # по-умолчанию не установлен
p11tool --login --list-certs 'pkcs11:model=eToken' | grep -P pkcs11.+id.* -o | whileread -r line; do p11tool --info "$line";  p11tool --export"$line" | openssl x509 -text; done

Here, in a loop through the URLs of the objects p11tool --info displays the certificate data in its presentation, and p11tool --export transfers the certificate in the pem file format to the openssl input, which displays the text representation. To transfer to OpenConnect we need the one where the Client Authentication line is found - remember its URL. In addition, if the server uses a self-signed certificate, we also remember the URL of the object with the flag CKA_CERTIFICATE_CATEGORY = CA.

We export the certificate of the certification authority to a file (the entire URL is optional - if only it uniquely identifies the object):

p11tool --export'pkcs11:model=eToken;...' > CA.pem # подставить URL сертификата удостоверяющего центра

Finally OpenConnect


Install:

sudo apt install openconnect

The minimum set of arguments to connect is given in the following command:

sudo openconnect --certificate 'pkcs11:model=eToken;id=%XX%XX' your.vpn.server.com
# где %XX%XX - запомненный ранее id сертификата клиента

If the server uses a self-signed certificate, when launched in this form, OpenConnect will specify whether we trust the server, and in addition, the terminal window will be taken. Therefore, we will slightly expand the command:

sudo openconnect --certificate 'pkcs11:model=eToken;id=%XX%XX' --cafile=CA.pem --background --pid-file=connect.pid your.vpn.server.com > connect.log
# UPD: исправил опечатку в ключе certificate

Using the cafile we specified the certificate of the certification authority - now there will be no question regarding trust in the server. The background option speaks for itself, and pid-file allows you to specify the name of the file in which the identifier of the background process is stored. In addition, the token password can be specified directly in the URL using the pin-value attribute. But this is somewhat ... unsafe.

Stop the background process correctly with the following command:

sudo kill --signal SIGINT $(< connect.pid) # $() - подстановка команды, т.к. kill не признает stdin

According to SIGINT, OpenConnect correctly terminates the connection, and if you disconnect the connection “hard”, there may be problems during the next connection. Although I didn’t.

Afterword


The problem is solved, and I joyfully use Remmina for remote access, which I launch immediately when connected to vpn, adding the command to the OpenConnect startup script:

cd ~
remmina --connect=./.remmina/myconnection.remmina

True, I had to disable clipboard synchronization: otherwise, it doesn’t work in some applications on a remote machine; and enable the “Disable tray icon” setting: otherwise, a new icon is added to the tray every time you connect. Again, switching to the home directory before calling Remmina is no accident: the application does not see the path ~ / .remmina / myconnection.remmina , and setting the full path with the username seems wrong to me.

I won’t draw any conclusions regarding the applicability of Linux at home - for now, I have enough, and the article was designed just like HowTo.

PS: The final choice of the Ubuntu version was influenced by the solution to this problem: in the fifth version included in Ubuntu 14.04, an OpenConnect version showed an error that prevented the connection from being established. For the sake of the seventh version of OpenConnect devoid of that error, I delivered probably still raw 16.04.

Once again links to the materials used:

HowTo: Internet banking for legal entities using Aladdin eToken on Linux (Ubuntu)
Install SafeNet eToken PRO on Ubuntu 14.04 LTS
Invoking p11tool from GnuTLS
OpenConnect Smart Card / PKCS # 11 support

Read Next