VPN Connection

The 7942, 7962, 7945, 7965 and 7975 models and the 8800, 8900 and 9900 series phones can setup a VPN using the AnyConnect protocol which connects via HTTPS and DTLS. To enable the VPN connection set <url1> and <certHash1> in SEPMAC.cnf.xml and then enter your username and password via the settings or applications menu on the phone.

Steps for patching, compiling and installed the modified version of OpenConnect Server are below. You should be familiar with building from source before attempting this.

1. Download a copy of the patch below.

file_download cisco-webvpnlogin-0.12.6.patch (15K) event 24/03/2020 security SHA256:0e1bda447cac1a2ab8189144bb9f7ee9e903fccf163436f7dd6f7cd3bbbfff6d.

2. Download the version of OpenConnect Server that matches the version number in the name of the patch.

open_in_browser OpenConnect Server Downloads (ftp://ftp.infradead.org/pub/ocserv).

3. Extract the archive and apply the patch.

~$ tar -Jxvf ocserv-0.12.6.tar.xz ~$ cd ocserv-0.12.6 ~/ocserv-0.12.6$ patch -p1 < ../cisco-webvpnlogin-0.12.6.patch
4. Configure and build OpenConnect Server.

~/ocserv-0.12.6$ ./configure --prefix=/usr --sysconfdir=/etc/ocserv --disable-maintainer-mode ~/ocserv-0.12.6$ make
5. Install the patched version of OpenConnect Server.

~/ocserv-0.12.6$ sudo make install
6. Install the sample configuration file.

~/ocserv-0.12.6$ sudo cp doc/sample.config /etc/ocserv/ocserv.conf


The VPN server requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using gencert.

~/certutils$ ./gencert -c CA.pem -C "OpenConnect VPN" -b 2048 -y 1 -o vpn.pem
An archive containing the scripts need to generate and hash X509 certificates files can be downloaded from the URL below.

file_download certutils-2.1.tar.gz (15K) event 03/06/2020 security SHA256:53e5965fe90b8a8cb2cac9b947333e509f6018778e7249e417ff02bb24e01cb3.

... # Only username and password authentication is supported for Cisco phones. # The ocpasswd(1) tool can be used to manage the password file. auth = "plain[passwd=/etc/ocserv/passwd]" # The key and the certificates of the server. The certificate must match the # hash set in one of <certHash1> ... <certHash10>. server-cert = "/etc/ocserv/vpn.pem" server-key = "/etc/ocserv/vpn.pem" # Force the cipher to AES-128 as the TLS cipher must be the same as the DTLS # cipher otherwise the phone will log an "old session cipher not returned" # error. tls-priorities = "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+CTYPE-ALL:%COMPAT" ...


certhash is used to generate a base64 encoded version of the SHA1 hash of the VPN server certificate. The hash is then set in one of <certHash1> ... <certHash10> in SEPMAC.cnf.xml.

~/certutils$ ./certhash -d sha1 vpn.pem s4U4A2DqXtupmzGuEGm2NCjxW/Y=