VPN Connection

The 6900, 7800, 8800, 8900 and 9900 series phones can setup a VPN using the AnyConnect protocol which connects via HTTPS and optionally, DTLS. To enable the VPN connection set <url1> and <certHash1> in SEPMAC.cnf.xml and then enter your username and password via the settings or applications menu on the phone.

Steps for patching, compiling and installed the modified version of OpenConnect Server are below. You should be familiar with building from source before attempting this.

1. Download a copy of the patch below.

file_download cisco-webvpnlogin-0.12.6.patch (15K) event 24/03/2020 security SHA256:0e1bda447cac1a2ab8189144bb9f7ee9e903fccf163436f7dd6f7cd3bbbfff6d.

2. Download the version of OpenConnect Server that matches the version number in the name of the patch.

open_in_browser OpenConnect Server Downloads (ftp://ftp.infradead.org/pub/ocserv).

3. Extract the archive and apply the patch.

~$ tar -Jxvf ocserv-0.12.6.tar.xz ~$ cd ocserv-0.12.6 ~/ocserv-0.12.6$ patch -p1 < ../cisco-webvpnlogin-0.12.6.patch
4. Configure and build OpenConnect Server.

~/ocserv-0.12.6$ ./configure --prefix=/usr --sysconfdir=/etc/ocserv --disable-maintainer-mode ~/ocserv-0.12.6$ make
5. Install the patched version of OpenConnect Server.

~/ocserv-0.12.6$ sudo make install
6. Install the sample configuration file.

~/ocserv-0.12.6$ sudo cp doc/sample.config /etc/ocserv/ocserv.conf


The VPN server requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using gencert.

~/certutils$ ./gencert -c ca.pem -C "OpenConnect" -b 2048 -y 1 -o vpn.pem
An archive containing the scripts need to generate and hash X509 certificates files can be downloaded from the URL below.

file_download certutils-2.4.tar.gz (16K) event 05/11/2020 security SHA256:205aa54ef00752bf3245276b7104a512f6deb5fe09948aaaa309ce8db2dc5d9e.

... # Only username and password authentication is supported for Cisco phones. # The ocpasswd(1) tool can be used to manage the password file. auth = "plain[passwd=/etc/ocserv/passwd]" # The key and the certificates of the server. The certificate must match the # hash set in one of <certHash1> ... <certHash10>. server-cert = "/etc/ocserv/vpn.pem" server-key = "/etc/ocserv/vpn.pem" # Any unused TCP port can be used. tcp-port = 443 # Disable DTLS. To use GCM ciphers DTLS support must be disabled because # the phone negotiates a SSLv3 connection which only allows for CBC mode # ciphers. udp-port = 0 # Prefer 256-bit ciphers, ECDHE-RSA-AES-256-GCM or RSA-AES-256-CBC. tls-priorities = "SECURE256:%COMPAT" # Alternatively[1], prefer 128-bit ciphers, ECDHE-RSA-AES-128-GCM or RSA-AES-128-CBC. # tls-priorities = "SECURE128:%COMPAT" # Alternatively[2], force CBC ciphers so that DTLS can be enabled. # udp-port = 443 # tls-priorities = "NONE:+VERS-TLS-ALL:+RSA:+SHA:+AES-256-CBC:+AES-128-CBC:+SIGN-ALL:+COMP-ALL:+CTYPE-ALL:%COMPAT" # dtls-legacy = true ...


certhash is used to generate a base64 encoded version of the SHA1 hash of the VPN server certificate. The hash is then set in one of <certHash1> ... <certHash10> in SEPMAC.cnf.xml.

~/certutils$ ./certhash -d sha1 vpn.pem s4U4A2DqXtupmzGuEGm2NCjxW/Y=