VPN Connection

The 8800, 8900 and 9900 series phones can setup a VPN using the AnyConnect protocol which connects via HTTPS and optionally, DTLS. To enable the VPN connection set <url1> and <certHash1> in SEPMAC.cnf.xml and then enter your username and password via the settings or applications menu on the phone.

Steps for patching, compiling and installed the modified version of OpenConnect VPN Server are below. You should be familiar with building from source before attempting this.

1. Download a copy of the patch below.

file_download cisco-webvpnlogin-1.1.6.patch (23K) event 04/09/2022 security SHA256:3aed16df67cd4c57927486d23630be83c70dc55238bbbee239272b360d9a506a.

2. Download the version of OpenConnect that matches the version number in the name of the patch.

open_in_browser OpenConnect VPN Server Downloads.

3. Extract the archive and apply the patch.

~$ tar --extract --xz --file ocserv-X.X.X.tar.xz ~$ cd ocserv-X.X.X ~/ocserv-X.X.X$ patch --strip=1 < ../cisco-webvpnlogin-X.X.X.patch
4. Configure and build OpenConnect.

~/ocserv-X.X.X$ ./configure --prefix=/usr --sysconfdir=/etc/ocserv --disable-maintainer-mode ~/ocserv-X.X.X$ make
5. Install the patched version of OpenConnect.

~/ocserv-X.X.X$ sudo make install
6. Install the sample configuration file.

~/ocserv-X.X.X$ sudo cp doc/sample.config /etc/ocserv/ocserv.conf

ocserv.conf link

The VPN server requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using mkcert. See Device Security for more information.

~/certutils-X.X$ sudo ./mkcert --common "OpenConnect" --organization "OpenConnect" --unit "OpenConnect" \ /etc/ocserv/ocserv.pem
... # Username and password authentication, the ocpasswd(1) tool can be used to # manage the password file. auth = "plain[passwd=/etc/ocserv/passwd]" # Alternatively[1] use either the MIC or LSC for authentication #auth = certificate # User is commonName (CN) #cert-user-oid = # Group is organizationName (O) #cert-group-oid = # Authenticate MIC using Cisco Root CA 2048 + Cisco Manufacturing CA 2 #ca-cert = "/etc/ocserv/ciscoca.pem" # Authenticate LSC using a local CA, see Certificate Enrollment #ca-cert = "/etc/oscerv/capf.pem" # The key and the certificates of the server. The certificate must match the # hash set in one of <certHash1> ... <certHash10>. server-cert = "/etc/ocserv/ocserv.pem" server-key = "/etc/ocserv/ocserv.pem" # Any unused TCP port can be used. tcp-port = 443 # Disable DTLS. To use GCM ciphers DTLS support must be disabled because # the phone negotiates a SSLv3 connection which only allows for CBC mode # ciphers. udp-port = 0 # Prefer 256-bit ciphers, ECDHE-RSA-AES-256-GCM or RSA-AES-256-CBC. tls-priorities = "SECURE256:NORMAL:%SERVER_PRECEDENCE:%COMPAT" # Alternatively[1], prefer 128-bit ciphers, ECDHE-RSA-AES-128-GCM or RSA-AES-128-CBC. #tls-priorities = "SECURE128:NORMAL:%SERVER_PRECEDENCE:%COMPAT" # Alternatively[2], force CBC ciphers so that DTLS can be enabled. Only # port 443 can be used. #udp-port = 443 #tls-priorities = "NONE:+VERS-TLS-ALL:+RSA:+SHA:+AES-256-CBC:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+CTYPE-ALL:%COMPAT" #dtls-legacy = true ...

certhash link

certhash is used to generate a base64 encoded version of the SHA1 hash of the VPN server certificate. The hash is then set in one of <certHash1> ... <certHash10> in SEPMAC.cnf.xml.

~/certutils-X.X$ ./certhash --digest sha1 /etc/ocserv/ocserv.pem