Sunday, May 2, 2010

Cisco AnyConnect VPN Client on 64-Bit Ubuntu 10.04

I outlined much of this in a previous blog post, but since things are slightly different (or at least were for me) on Ubuntu 10.04, I figured I'd do a follow-up while it was fresh in my mind. Note that if you're on 32-bit Ubuntu AnyConnect works out of the box so you don't need to do any of these steps. The issue is that there is no native 64-bit AnyConnect client for Linux so you have to install some 32-bit libraries and point AnyConnect to some libraries from Firefox to get things working.

The basic procedure remains the same as in my previous post, but I had to install some additional libraries and do things in a slightly different order this time around.



  1. Download the AnyConnect installer from your VPN server or get a copy from your VPN administrator. (Why these clients aren't freely available I have no idea. You can only connect to something that someone paid Cisco for, so I'm not sure why the clients can't just be out in the wild. If you Scroogle around you may find some download links here and there but of course use at your own risk if you don't get the client from an authorized source.)

  2. Do a chmod +x on the installer (which for me was called vpnsetup.sh) and then run the installer using sudo. This will throw a couple of errors but they can safely be ignored.

  3. Install ia32-libs and lib32nss-mdns

    • sudo apt-get install ia32-libs lib32nss-mdns



  4. Download a fresh copy of Firefox, expand, and move to /usr/local

    • I downloaded to my Downloads directory, expanded there, and did sudo cp -R firefox /usr/local



  5. Do a cd into /usr/local/firefox and create symlinks for the Firefox libraries in /opt/cisco/vpn/lib as follows:

    • sudo ln -s libnss3.so /opt/cisco/vpn/lib/libnss3.so

    • sudo ln -s libplc4.so /opt/cisco/vpn/lib/libplc4.so

    • sudo ln -s libnspr4.so /opt/cisco/vpn/lib/libnspr4.so

    • sudo ln -s libsmime3.so /opt/cisco/vpn/lib/libsmime3.so

    • sudo ln -s libsoftokn3.so /opt/cisco/vpn/lib/libsoftokn3.so

    • sudo ln -s libnssdbm3.so /opt/cisco/vpn/lib/libnssdbm3.so

    • sudo ln -s libfreebl3.so /opt/cisco/vpn/lib/libfreebl3.so

    • sudo ln -s libnssutil3.so /opt/cisco/vpn/lib/libnssutil3.so

    • sudo ln -s libplds4.so /opt/cisco/vpn/lib/libplds4.so

    • sudo ln -s libsqlite3.so /opt/cisco/vpn/lib/libsqlite3.so



  6. Start the VPN daemon: sudo /etc/init.d/vpnagentd_init start (If it doesn't start without errors, double-check all your symlinks.)

  7. Launch AnyConnect. You should have a launcher under Applications -> Internet, but If not you can launch it from /opt/cisco/vpn/bin/vpnui using your normal user account (i.e. not using sudo).


After AnyConnect launches you can enter your VPN server address, accept the certificate, and log in as per usual.

17 comments:

dustinmcquay said...

You are awesome for writing this. I am running Ubuntu 10.04 64 bit and these instructions worked perfectly for me.

Matthew Woodward said...

Great! Glad this helped.

Anonymous said...

Hello Matt, trying to setup VPN, when i try to install the one provided by my company it gives compilation error.. Using UBUNTU 10.04make -C /lib/modules/2.6.32-22-generic/build SUBDIRS=/home/anitha/Downloads/vpnclient modulesmake[1]: Entering directory `/usr/src/linux-headers-2.6.32-22-generic' CC [M] /home/anitha/Downloads/vpnclient/linuxcniapi.o CC [M] /home/anitha/Downloads/vpnclient/frag.o CC [M] /home/anitha/Downloads/vpnclient/IPSecDrvOS_linux.o CC [M] /home/anitha/Downloads/vpnclient/interceptor.o/home/anitha/Downloads/vpnclient/interceptor.c: In function ‘interceptor_init’:/home/anitha/Downloads/vpnclient/interceptor.c:132: error: ‘struct net_device’ has no member named ‘hard_start_xmit’/home/anitha/Downloads/vpnclient/interceptor.c:133: error: ‘struct net_device’ has no member named ‘get_stats’/home/anitha/Downloads/vpnclient/interceptor.c:134: error: ‘struct net_device’ has no member named ‘do_ioctl’/home/anitha/Downloads/vpnclient/interceptor.c: In function ‘add_netdev’:/home/anitha/Downloads/vpnclient/interceptor.c:271: error: ‘struct net_device’ has no member named ‘hard_start_xmit’/home/anitha/Downloads/vpnclient/interceptor.c:272: error: ‘struct net_device’ has no member named ‘hard_start_xmit’/home/anitha/Downloads/vpnclient/interceptor.c: In function ‘remove_netdev’:/home/anitha/Downloads/vpnclient/interceptor.c:294: error: ‘struct net_device’ has no member named ‘hard_start_xmit’make[2]: *** [/home/anitha/Downloads/vpnclient/interceptor.o] Error 1make[1]: *** [_module_/home/anitha/Downloads/vpnclient] Error 2make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-22-generic'make: *** [default] Error 2Failed to make module "cisco_ipsec.ko".Can you pls help

Matthew Woodward said...

I haven't used the regular Cisco client in quite some time--before I started using AnyConnect I used vpnc which worked much better for me than the regular Cisco client did.I'd strongly suggest using AnyConnect if you can. If you can't use AnyConnect, last time I compiled the client it worked fine but that's been ages ago, and one of the big reasons I quit using the regular client is because it tends to break every time the kernel gets any updates. Sorry I don't have anything more concrete for you to go on.

Anonymous said...

Hey Matt, can you provide step by step instruction for anyconnect installation pls also with the tar files needed... thanks in advance

Matthew Woodward said...

There aren't any tar files--you should just be able to hit your VPN server in a browser, log in, download the installer, and run it. That's really all there is to it.If your VPN server isn't set up to let you log in via a web browser and download AnyConnect, you'll want to talk to your VPN server administrators to see if they can get you the installer. Once you have the installer you can follow the instructions in this post and you'll be in good shape.

Josh Cummings said...

Worked like a charm. Thanks! By the way, the first symlink command in your list might have a typo. It says this:sudo ln -s libnss3.so /opt/cisco/vpn/lib/nss3.soBut, I think it should be this:sudo ln -s libnss3.so /opt/cisco/vpn/lib/libnss3.so

Matthew Woodward said...

Ah thanks--I'll get that fixed. Could be that later versions changed things a bit as well but if you just did this recently and that was the right thing, I'll assume you're right. ;-) Thanks for the update!

tomasfromsaris said...

You saved me man! Thanks a lot for sharingT.

douglasjboehme said...

I just installed Ubuntu 11.04 64bit and tried this with Firefox 4.0 and 4.01 both 32 bit and 64 bit, no luck. No errors occur until trying to enter the VPN server name and it's gets the certificate rejection message. Anyone else had any luck?

douglasjboehme said...

SUCCESS! Please ignore my previous comment.I took one last ditch effort by removing the links and copying the 32bit libs from /usr/local/firefox into /opt/cisco/vpn/liib and it worked. From what I could see, the permissions for the links and libraries were the same so I'm not sure what was happening.Just in case anyone is looking, the 32bit Firefox install will end in 686.tar.bz2.

Matthew Woodward said...

Excellent! Thanks for sharing.

Franco Sabadini said...

Hi there,I couldn't make it work on ubuntu 11.04, I downloaded firefox-7.0a1.en-US.linux-i686.tar.bz2 and copied the .so files needed to /opt/cisco/vpn/lib/ (except for libsqlite3.so, cause it wasn't there).Any idea what could be wrong?Thanks.

Matthew Woodward said...

Try these instructions maybe:http://blog.mattwoodward.com/cisco-anyconnect-vpn-client-on-64-bit-linuxmi

David Sinex said...

I have this working Ubuntu 11.04 64bit. I was having trouble even downloading the client from the server at UBC. (myvpn.ubc.ca) To do get my browser to download I did, 'setarch i386 firefox -no-remote'. Downloaded the vpn client. I then followed the instructions on this page almost exactly except I found that libsqlite3.so is nowcalled libmozsqlite3.so in the latest firefox 6.0.

dwmw2 said...

Why would you do this? Ubuntu has built-in support for the AnyConnect VPN, properly integrated into NetworkManager. Just make sure you have the network-manager-openconnect package installed.

Shawn Tabai said...

@dwmw2 is a lifesaver! I've been looking for a solution that would work for me for hours (the one in this blog as well as several others didn't work for me in Ubuntu 11.10 x64). After reading his reply, I simply executed the following in a terminal:sudo apt-get install network-manager-openconnectAfter that, I could configure the VPN using the built-in network manager tool. Thanks a million, this is perfect!