前提条件
- ASA側の設定は完了していること
- CentOS8の設定(VPN接続以外の設定)は完了していること
今回使用する機器
- ASA5512
- CentOS Linux release 8.2.2004 (Core) (さくらVPS)
ASA5512詳細
asa5512# show ver
Cisco Adaptive Security Appliance Software Version 9.12(3)2
SSP Operating System Version 2.6(1.156)
Device Manager Version 7.12(2)
Compiled on Fri 06-Dec-19 10:31 PST by builders
System image file is "disk0:/asa9-12-3-2-smp-k8.bin"
Config file at boot was "startup-config"
asa5512 up 3 hours 23 mins
Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2800 MHz, 1 CPU (2 cores)
ASA: 1667 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is c067.af70.bd59, irq 11
1: Ext: GigabitEthernet0/0 : address is c067.af70.bd5d, irq 10
2: Ext: GigabitEthernet0/1 : address is c067.af70.bd5a, irq 10
3: Ext: GigabitEthernet0/2 : address is c067.af70.bd5e, irq 5
4: Ext: GigabitEthernet0/3 : address is c067.af70.bd5b, irq 5
5: Ext: GigabitEthernet0/4 : address is c067.af70.bd5f, irq 10
6: Ext: GigabitEthernet0/5 : address is c067.af70.bd5c, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is c067.af70.bd59, irq 0
11: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 250 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Enabled perpetual
Total TLS Proxy Sessions : 100 perpetual
Botnet Traffic Filter : Enabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 4 perpetual
This platform has an ASA 5512 Security Plus license.
Serial Number: FCHXXXXXXXX
Running Permanent Activation Key: 0x9a37fe68 0x9458ea1c 0x4143dc94 0xe6dcdcd4 0x812bf481
Configuration register is 0x1
Image type : Release
Key version : A
Configuration has not been modified since last system restart.
asa5512#
IPアドレス概要
- 192.168.0.0/24 自宅ローカル環境
- 153.126.XX.XX さくらVPSのグローバルIPアドレス
- 192.168.0.120 VPNにより割り当てられた自宅ローカル環境のIPアドレス
事前準備
- インストール元のtar.gzファイルはASAよりダウンロードして、インストール対象のサーバに転送しておきます。
- anyconnect-linux64-4.8.01090-predeploy-k9.tar.gz
Anyconnect client(linux)のインストール
[root@sakura]# cd /tmp
[root@sakura]# ls
anyconnect-linux64-4.8.01090-predeploy-k9.tar.gz
[root@sakura]#
[root@sakura]# tar xzf anyconnect-linux64-4.8.01090-predeploy-k9.tar.gz
[root@sakura]# ls
anyconnect-linux64-4.8.01090
anyconnect-linux64-4.8.01090-predeploy-k9.tar.gz
[root@sakura]# cd anyconnect-linux64-4.8.01090
[root@sakura]# ls
dart nvm posture vpn
[root@sakura]#
[root@sakura]# cd vpn
[root@sakura]# ls
acinstallhelper libacwebhelper.so manifesttool_vpn
ACManifestVPN.xml libboost_chrono.so OpenSource.html
acwebhelper libboost_date_time.so resources
AnyConnectLocalPolicy.xsd libboost_filesystem.so update.txt
AnyConnectProfile.xsd libboost_signals.so VeriSignClass3PublicPrimaryCertificationAuthority-G5.pem
anyconnect_uninstall.sh libboost_system.so vpn
cisco-anyconnect.desktop libboost_thread.so vpnagentd
cisco-anyconnect.directory libvpnagentutilities.so vpnagentd_init
cisco-anyconnect.menu libvpnapi.so vpnagentd.service
libacciscocrypto.so libvpncommoncrypt.so vpndownloader
libacciscossl.so libvpncommon.so vpndownloader-cli
libaccurl.so.4.5.0 libvpnipsec.so vpn_install.sh
libacfeedback.so license.txt vpnui
libacruntime.so load_tun.sh vpn_uninstall.sh
[root@sakura]#
[root@sakura]# ./vpn_install.sh
Installing Cisco AnyConnect Secure Mobility Client...
Supplemental End User License Agreement for AnyConnect(R) Secure Mobility Client v4.x and other VPN-related Software
IMPORTANT: READ CAREFULLY
This Supplemental End User License Agreement ("SEULA") contains additional terms and conditions for the Software Product licensed under the End User License Agreement ("EULA") between You ("You" as used herein means You and the business entity you represent) and Cisco (collectively, the "Agreement"). Capitalized terms used in this SEULA but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this SEULA, the terms and conditions of this SEULA will take precedence.
In addition to the limitations set forth in the EULA on your access and use of the Software, You agree to comply at all times with the terms and conditions provided in this SEULA. DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.
For purposes of this SEULA, the product You have ordered or enabled is any of the following software products and/or the referenced functionality (the "Software"):
Cisco AnyConnect:
- Cisco AnyConnect Secure Mobility Client v4.0 or above, all modules, all operating systems, with
- Cisco AnyConnect Apex License, and/or
- Cisco AnyConnect Plus License
- Cisco AnyConnect Profile Editor
- Cisco AnyConnect Enterprise Application Selector
Cisco ASA:
- Cisco Adaptive Security Appliance IPsec IKEv2 Remote Access VPN functions
- Cisco Adaptive Security Appliance Clientless SSL VPN functions, including
- Browser-based SSL VPN
- Smart Tunnels
- Port Forwarding
- Additional SSL VPN delivered applets
Definitions
For purposes of this SEULA, the following definitions apply:
"Administrator Guide" means the Cisco AnyConnect Secure Mobility Client Administrator Guide or the Administrator Guide for the applicable Cisco product or service.
"Authorized User" means an End User that has been authorized by You to use the Software. An Authorized User may use the Software on one or more Endpoints provided that such Authorized End User is the dedicated user of each such Endpoint.
"Cisco Network Device" means a Cisco Adaptive Security Appliance (ASA), Cisco head-end termination device or other Cisco product used in conjunction with the Software that is not associated with a specific End User.
"Customer Experience Feedback Module" means a capability in certain Software to provide Non-personal Information from Endpoints to Cisco for the purpose of improving product quality, reliability, performance, and user experience.
"Device" means an Endpoint or Cisco Network Device.
"Endpoint" means a computer, smartphone or other mobile device used by an End User in conjunction with any of the Software.
"End User" means your employee or a third party authorized by You to use the Software licensed under this Agreement.
"Network Access Manager Module" means a separate module in the Software with IEEE 802.1X authentication functionality to manage wired and wireless network connections.
"Non-personal Information" means technical and related information that is not Personal Information, including, but not limited to the operating system type and version; file metadata and identifiers such as SHA-256 values; network host data; origin and nature of malware; Endpoint GUIDs (globally unique identifiers); Internet Protocol ("IP") addresses; MAC addresses; logfiles; the types of software or applications installed on a network or an Endpoint; and any aggregate or demographic data such as cookies, web logs, web beacons, and other similar applications.
"Ordering Document" means the purchase order or similar agreement between You and Cisco or You and an Approved Source, or the valid terms of any purchase order accepted by Cisco, containing the purchase terms for the Software license granted by this Agreement.
"Ordering Guide" means the Cisco AnyConnect Secure Mobility Client Ordering Guide.
"Personal Information" means any information that can be used to identify an individual and may include an individual's name, address, email address, phone number, payment card number, and user name.
"Web Security Module" means a separate module in certain Software with functionality that redirects web traffic to the Cisco Cloud Web Security hosted infrastructure for customers that have separately subscribed to Cisco Cloud Web Security and used in conjunction with Cisco Cloud Web Security Filtering and/or Cisco Cloud Web Security services.
"Unattended Endpoint" means an Endpoint used in conjunction with any of the Software for which there is no dedicated End User.
License Terms and Conditions
1. License. Conditioned upon compliance with the terms and conditions of the Agreement, Cisco grants to You a nonexclusive, nontransferable and non-sublicenseable license to allow Devices to use the Software for your internal business purposes. Your right to use the Software is limited to that number of Authorized End Users for which You have paid the applicable fee, plus that number of Unattended Endpoints for which You have paid the applicable fee. In order to use the Software You may be required to input a registration number or product authorization key and register your copy of the Software online at Cisco's website to obtain the necessary license key or license file. You should refer to the Ordering Guide and/or Administrator Guide for the applicable features for the Software You have licensed. This SEULA will apply to Cisco AnyConnect Secure Mobility Client v4.0 and any subsequent versions thereto unless a different SEULA is adopted for such subsequent versions.
2. Permitted Third Party Use. You may copy and distribute the Software to your third party business partners and customers from a password protected software download site, solely and exclusively for the purposes of accessing your Devices, provided that You shall remain solely responsible for compliance with the Agreement by each such third party, and each such distribution of the Software to a third party is accompanied by a copy of the Agreement. In the event of termination of the Agreement, You must use commercially reasonable efforts to notify all third parties to whom You have distributed the Software that their rights of access and use of the Software has also terminated.
3. License Term. Unless You purchase a perpetual license which will only be permitted in limited instances for certain Software, your license is a term-based subscription to use the Software for a defined period of time as indicated in a SKU or as otherwise shown in the Ordering Document. The subscription term is subject to the termination provisions under the EULA. You must renew each subscription license and pay the applicable fee before the subscription expiration date for continued authorized use of the Software. If a subscription term expires without renewal, then your right and license to use the Software automatically terminates. Additionally, certain Software features and services may cease operation if You do not renew your subscription.
4. Required Devices. Each Endpoint must use the Software to connect to a Cisco Network Device. Your use of Cisco Network Devices is subject to separate license entitlements and restrictions that are not covered by this Agreement. Each Cisco Network Device may need to be registered for use with your license. Notwithstanding the foregoing, a Network Access Manager Module, as described in the Administrator Guide, may be used by You in conjunction with non-Cisco wired and wireless equipment for the purpose of connecting to non-Cisco network equipment.
5. Rules. If Cisco provides You with application IDs, signatures or rules for use with any Software (collectively, the "Rules"), then such Rules, and all modifications and updates thereto, are provided on an "AS IS" basis without warranty of any kind, either expressed or implied, including, without limitation, warranties that the Rules are free of defects, merchantable, fit for a particular purpose, error-free or non-infringing.
6. Permitted Legacy Use. If You previously purchased a license to use a prior version of AnyConnect that included a license to use such prior version on mobile platforms, then your End Users covered by such license are hereby granted a license to use AnyConnect v4.0 on their Endpoints at no additional charge until April 30, 2016. Any such use shall be governed by this Agreement and shall not include a license for You to use Cisco AnyConnect Enterprise Application Selector, which license must be separately purchased.
Technical Support
For Software licensed on a subscription basis, You will also receive Cisco Software Application Support plus Upgrades (SASU) as part of the subscription fee. For Software licensed on a perpetual basis, You must separately purchase a support contract to receive maintenance and technical support. A separate support contract is also required for You to receive maintenance and technical support for (a) Cisco Network Devices, (b) Cisco products used in conjunction with the Network Access Manager Module, and (c) other Cisco services. Cisco will not provide technical support services directly to your End Users or to any third party business partner or customer that is authorized to use the Software.
Consent to Data Collection and Privacy
1. Data Collection and Processing. Cisco may, as part of your use of the Software and/or the provision of services by Cisco, collect, retain, and use Non-Personal Information and specific identifiable data about You, your network and your Endpoints (e.g., Endpoint IDs, IP addresses, location, content, etc.). Some of this specific identifiable data may contain Personal Information. Cisco also may transfer data so collected to Cisco's offices and subsidiaries in the United States and other countries where Cisco or its service providers have facilities.
2. Purpose of Data Collection and Processing. The data Cisco collects from the Software is necessary for the essential use and functionality of the Software (e.g. device tracking, access control, data and traffic analysis, threat detection, malware and conduct-related analysis, etc.), and is also used by Cisco to provide associated services and to improve the operation and functionality of the Software. For these reasons You may not be able to opt out from some of this data collection other than by uninstalling or disabling the Software. You may have the ability, however, to configure the Software to limit some of the data that can be collected, as described in the applicable Documentation and Administrator Guide. For example, You may: (a) withdraw your consent to collection, use, processing and storage of Non-personal Information collected by the Customer Experience Feedback Module at any time by turning the module off; and (b) withdraw your consent to collection, use, processing and storage of Personal Information collected by the Web Security Module at any time by configuring the Cisco Cloud Web Security Filtering Service to anonymize your end user data.
3. Consent to Data Collection and Use. By using the Software and/or subscribing to related Cisco-provided services and accepting these terms, You agree to the collection, use, transfer, backup, and storage of your Personal Information and other data by Cisco and its service providers. Cisco will not process this information other than in accordance with Cisco's Privacy Statement (identified in section 4 below). You also agree that Cisco and its service providers may, as part of your use of the Software and the provision of related services by Cisco, transfer, copy, backup and store your Personal Information and other data in the United States, Europe, or other countries or jurisdictions outside your own where data protection standards may be different.
4. Privacy Statement. By entering into this Agreement, You agree that Cisco's Privacy Statement, as it exists at any relevant time, applies to you. The most current Privacy Statement can be found at: http://www.cisco.com/web/siteassets/legal/privacy_full.html.
Description of Other Rights and Obligations
Please refer to the Cisco Systems, Inc. End User License Agreement.
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Do you accept the terms in the license agreement? [y/n] y
You have accepted the license agreement.
Please wait while Cisco AnyConnect Secure Mobility Client is being installed...
Starting Cisco AnyConnect Secure Mobility Client Agent...
Done!
[root@sakura]#
VPN接続
初回接続の際にエラーを吐かれてしまい、接続出来ませんでした。(Connection attempt has failed.)
直後に同じ接続コマンドを試したところ、成功しました。証明書関連の問題の気がします。
[arkey22@sakura]$ /opt/cisco/anyconnect/bin/vpn -s connect 210.169.XX.XX
Cisco AnyConnect Secure Mobility Client (version 4.8.01090) .
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (210.169.XX.XX) for login information...
>> notice: Contacting 210.169.XX.XX.
AnyConnect cannot verify server: 210.169.XX.XX
Connecting to this server may result in a severe security compromise!
AnyConnect is configured to block untrusted servers by default. Most users choose to keep this setting.
If this setting is changed, AnyConnect will no longer automatically block connections to potentially malicious network devices.
Change the setting that blocks untrusted connections? [y/n]: y
Changing this Preference may result in a severe security compromise!
Change the setting that blocks untrusted connections? [y/n]: y
>> warning: Connection attempt has failed.
>> state: Disconnected
[arkey22@sakura]$
[arkey22@sakura]$ /opt/cisco/anyconnect/bin/vpn -s connect 210.169.XX.XX
Cisco AnyConnect Secure Mobility Client (version 4.8.01090) .
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (210.169.XX.XX) for login information...
>> notice: Contacting 210.169.XX.XX.
AnyConnect cannot verify server: 210.169.XX.XX
- Certificate does not match the server name.
- Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!
Most users do not connect to untrusted servers unless the reason for the error condition is known.
Connect Anyway? [y/n]: y
>> Please enter your username and password.
Group: TUNNEL_ANYCONNECT
Username: arkey22
arkey22
Password:
>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
The AnyConnect Downloader updates have been completed.
Please wait while the VPN connection is established...
>> state: Connecting
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Initiating connection...
>> notice: Establishing VPN - Examining system...
>> notice: Establishing VPN - Activating VPN adapter...
>> notice: Establishing VPN - Configuring system...
>> state: Connected
>> notice: Establishing VPN...
>> notice: Connected to 210.169.XX.XX.
VPN>
[arkey22@sakura]$
接続確認
自宅環境のローカルIPアドレス(192.168.0.0/24)が払い出されたことを確認し、自宅のZabbixサーバにpingを打ってみます。
[root@sakura]# ip a | grep inet
inet 127.0.0.1/8 scope host lo
inet 153.126.XX.XX/23 brd 153.126.XXX.XXX scope global noprefixroute ens3
inet 192.168.0.120/24 brd 192.168.0.255 scope global cscotun0
[root@sakura]#
[root@sakura]# ping 192.168.0.208
PING 192.168.0.208 (192.168.0.208) 56(84) bytes of data.
64 bytes from 192.168.0.208: icmp_seq=1 ttl=64 time=30.7 ms
64 bytes from 192.168.0.208: icmp_seq=2 ttl=64 time=28.4 ms
64 bytes from 192.168.0.208: icmp_seq=3 ttl=64 time=28.9 ms
^C
--- 192.168.0.208 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 28.369/29.335/30.716/1.002 ms
[root@sakura]#
速度測定
VPNを使った速度を測定したいので、iperf3のオプションで送信元を制御しています。
自宅とさくらVPSの相互で、およそ10Mbpsほど出るようです。
[さくらVPS] -> [自宅サーバ(CentOS8)]
[root@sakura]# iperf3 -B 192.168.0.120 -c 192.168.0.202
Connecting to host 192.168.0.202, port 5201
[ 5] local 192.168.0.120 port 33741 connected to 192.168.0.202 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.61 MBytes 13.5 Mbits/sec 0 257 KBytes
[ 5] 1.00-2.00 sec 1.04 MBytes 8.76 Mbits/sec 0 308 KBytes
[ 5] 2.00-3.00 sec 1.23 MBytes 10.3 Mbits/sec 0 360 KBytes
[ 5] 3.00-4.00 sec 944 KBytes 7.73 Mbits/sec 0 412 KBytes
[ 5] 4.00-5.00 sec 1.54 MBytes 12.9 Mbits/sec 0 465 KBytes
[ 5] 5.00-6.00 sec 1.17 MBytes 9.79 Mbits/sec 0 518 KBytes
[ 5] 6.00-7.00 sec 629 KBytes 5.15 Mbits/sec 0 569 KBytes
[ 5] 7.00-8.00 sec 1.35 MBytes 11.3 Mbits/sec 0 620 KBytes
[ 5] 8.00-9.00 sec 1.54 MBytes 12.9 Mbits/sec 0 673 KBytes
[ 5] 9.00-10.00 sec 818 KBytes 6.70 Mbits/sec 0 726 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.8 MBytes 9.91 Mbits/sec 0 sender
[ 5] 0.00-10.70 sec 10.9 MBytes 8.51 Mbits/sec receiver
iperf Done.
[root@sakura]#
[自宅サーバ(CentOS8)] -> [さくらVPS]
[root@hinata]# iperf3 -B 192.168.0.202 -c 192.168.0.120
Connecting to host 192.168.0.120, port 5201
[ 5] local 192.168.0.202 port 43489 connected to 192.168.0.120 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.39 MBytes 11.6 Mbits/sec 75 47.5 KBytes
[ 5] 1.00-2.00 sec 1007 KBytes 8.25 Mbits/sec 1 46.2 KBytes
[ 5] 2.00-3.00 sec 1.17 MBytes 9.79 Mbits/sec 1 44.9 KBytes
[ 5] 3.00-4.00 sec 944 KBytes 7.73 Mbits/sec 1 42.4 KBytes
[ 5] 4.00-5.00 sec 1.17 MBytes 9.80 Mbits/sec 2 41.1 KBytes
[ 5] 5.00-6.00 sec 1007 KBytes 8.25 Mbits/sec 2 39.8 KBytes
[ 5] 6.00-7.00 sec 1.11 MBytes 9.28 Mbits/sec 1 37.2 KBytes
[ 5] 7.00-8.00 sec 1.17 MBytes 9.79 Mbits/sec 1 36.0 KBytes
[ 5] 8.00-9.00 sec 1007 KBytes 8.25 Mbits/sec 0 52.7 KBytes
[ 5] 9.00-10.00 sec 1.17 MBytes 9.79 Mbits/sec 1 51.4 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.0 MBytes 9.26 Mbits/sec 85 sender
[ 5] 0.00-10.28 sec 10.9 MBytes 8.91 Mbits/sec receiver
iperf Done.
[root@hinata]#
接続コマンドのエイリアス化
このままだと接続するたびに長いコマンドを打つ必要があるので、エイリアスで簡単に打てるようにしておきます。
[root@sakura]# vim /etc/bashrc
alias vpn_connect='/opt/cisco/anyconnect/bin/vpn -s connect 210.169.57.43'
alias vpn_disconnect='/opt/cisco/anyconnect/bin/vpn -s disconnect 210.169.57.43'
[root@sakura]#
[root@sakura]# source /etc/bashrc
エイリアスの動作確認
[root@sakura]# vpn_connect
Cisco AnyConnect Secure Mobility Client (version 4.8.01090) .
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (210.169.XX.XX) for login information...
>> notice: Contacting 210.169.XX.XX.
AnyConnect cannot verify server: 210.169.XX.XX
- Certificate does not match the server name.
- Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!
Most users do not connect to untrusted servers unless the reason for the error condition is known.
Connect Anyway? [y/n]: y
>> Please enter your username and password.
Group: TUNNEL_ANYCONNECT
Username: [arkey22]
Password:
>> state: Connecting
>> notice: Establishing VPN session...
The AnyConnect Downloader is analyzing this computer. Please wait...
Initializing the AnyConnect Downloader...
The AnyConnect Downloader is performing update checks...
>> notice: The AnyConnect Downloader is performing update checks...
The AnyConnect Downloader updates have been completed.
Please wait while the VPN connection is established...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> state: Connecting
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Initiating connection...
>> notice: Establishing VPN - Examining system...
>> notice: Establishing VPN - Activating VPN adapter...
>> notice: Establishing VPN - Configuring system...
>> notice: Establishing VPN...
>> state: Connected
>> notice: Connected to 210.169.XX.XX.
VPN>
[root@sakura]#
[root@sakura]#
[root@sakura]# vpn_disconnect
Cisco AnyConnect Secure Mobility Client (version 4.8.01090) .
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.
>> state: Connected
>> state: Connected
>> registered with local VPN subsystem.
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Connected
>> notice: Connected to 210.169.XX.XX.
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Disconnecting
>> state: Disconnected
[root@sakura]#
その後1
何故かつながらなくなってしまった。
VPN establishment capability from a remote desktop is disabled
調べてみたところ、profileの作成が必要とのことだった。
https://www.petenetlive.com/KB/Article/0000546
手順通りにASDMを使ってASA上にAnyConnect-Profile.xmlを作った。
それをVPSサーバの/opt/cisco/anyconnect/profile配下に配置したところ、VPN接続に成功した。
失敗時のログを残していなかったのが残念でならない。
その後2
VPN接続は出来たものの、途中でぶちぶち切れる状況になってしまった。ログを確認したところ、NetworkManager-dispatcher.serviceがrouting tableを書き換えるタイミングでVPNが切れてしまうっぽい。
止めて良いサービスかちょっと不安だが、とりあえずsystemctl stop NetworkManager-dispatcher.serviceとsystemctl disable NetworkManager-dispatcher.serviceで止めた。