VPN Connection
The 8800, 8900 and 9900 series phones can setup a VPN using the AnyConnect protocol which connects via HTTPS and optionally, DTLS. To enable the VPN connection set <url1
> and <certHash1
> in SEPMAC.cnf.xml and then enter your username and password via the settings or applications menu on the phone.Steps for compiling and installing OpenConnect VPN Server are below. You should be familiar with building from source before attempting this.
1. Download a version of OpenConnect that is
1.2.0
or newer.open_in_browser OpenConnect VPN Server Downloads.
2. Extract the archive.
~$ tar --extract --xz --file ocserv-X.X.X.tar.xz
~$ cd ocserv-X.X.X
3. Configure and build OpenConnect.
~/ocserv-X.X.X$ ./configure --prefix=/usr --sysconfdir=/etc/ocserv
~/ocserv-X.X.X$ make
4. Install OpenConnect.
~/ocserv-X.X.X$ sudo make install
5. Install the sample configuration file.
~/ocserv-X.X.X$ sudo cp doc/sample.config /etc/ocserv/ocserv.conf
ocserv.conf link
The VPN server requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated usingmkcert
. See Device Security for more information.~/certutils-X.X$ sudo ./mkcert --common "OpenConnect" --organization "OpenConnect" --unit "OpenConnect" \
/etc/ocserv/ocserv.pem
...
# Username and password authentication, the ocpasswd(1) tool can be used to
# manage the password file.
auth = "plain[passwd=/etc/ocserv/passwd]"
# Alternatively[1] use either the MIC or LSC for authentication
#auth = certificate
# User is commonName (CN)
#cert-user-oid = 2.5.4.3
# Group is organizationName (O)
#cert-group-oid = 2.5.4.10
# Authenticate MIC using Cisco Root CA 2048 + Cisco Manufacturing CA 2
#ca-cert = "/etc/ocserv/ciscoca.pem"
# Authenticate LSC using a local CA, see Certificate Enrollment
#ca-cert = "/etc/oscerv/capf.pem"
# The key and the certificates of the server. The certificate must match the
# hash set in one of <certHash1> ... <certHash10>.
server-cert = "/etc/ocserv/ocserv.pem"
server-key = "/etc/ocserv/ocserv.pem"
# Enable cisco phone VPN client checks
cisco-svc-client-compat = true
# If you are using older model phones such as 894x or 99xx series
# then you may need to force the allowed ciphers
#tls-priorities = "NONE:%SERVER_PRECEDENCE:%COMPAT:+VERS-TLS-ALL:+SIGN-ALL:+COMP-ALL:+RSA:+SHA1:+AES-256-CBC"
...
certhash link
certhash
is used to generate a base64 encoded version of the SHA1 hash of the VPN server certificate. The hash is then set in one of <certHash1
> ... <certHash10
> in SEPMAC.cnf.xml.~/certutils-X.X$ ./certhash --digest sha1 /etc/ocserv/ocserv.pem