Cisco VPN AnyConnect Secure Gateway Error

I use the Linux Cisco AnyConnect VPN client to connect to a VPN server at the University of Oxford but recently began receiving this error:

AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

I tried all the usual troubleshooting steps including re-installing, upgrading version and trying the client in a clean install of the OS in a virtual machine. None worked.

After googling, the error cause appeared to be the same as that detailed on this site about certificate errors. In particular, one of the comments by Nathan on 27th April 2012.

In brief it occurs because the Cisco client can't identify the Certifying Authority (CA) for the VPN server.

Solving the problem

The first step is to identify the CA for your VPN server:

$ openssl s_client -connect vpn.ox.ac.uk:443 |& sed -n '/^issuer=/s/.*CN=//p'
TERENA SSL CA

Then if you're lucky, this CA root certificate will be available on your computer in your Firefox installation already. Check by going to Firefox > Edit > Preferences > Advanced > View Certificates. Scroll down to find your CA and export the certificate somewhere as a .pem file e.g. your home directory. Then copy the .pem file to the correct location for the Cisco VPN client:

$sudo cp exported.pem /opt/.cisco/certificates/ca/

If, however, you're like me and aren't lucky enough to have the CA already listed in Firefox, you'll have to google for the relevant root certificate. In my case, I found them on the Terena website by googling "TERENA SSL CA root certificate". As I wasn't sure exactly which file I needed, I downloaded each of the three .pem files listed under the Server Certificate CA section and copied them to the Cisco certificates folder shown above. This solved the authentication problem. (For reference: Certificate 1, Certificate 2 and Certificate 3).

Missing libraries when running

After correcting the certificate error, I had further errors thrown up when I tried to connect using the command line vpn client. Each of these complained about a missing library and were solved by installing the relevant libraries along with the 32 bit compatability library. In OpenSUSE this looks like this:

$sudo zypper install libatk-1.0.so.0
$sudo zypper install compat-32bit
$sudo zypper install libgdk-x11-2.0.so.0

I can finally use the VPN at last but there is still a problem because the VPN client redirects all local traffic to the VPN adapter. This makes it impossible to use local network resources (e.g. a shared drive on another machine in your local network) whilst being on the VPN. I'm working on a solution to this now and will post it when I've worked it out.

First published on 15th January 2013 and last modified on 30th January 2013.