linux - Openconnect for Cisco VPN doesn't recognize private key file - asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
2013-10
Alexander Skwar
I'm trying to use my Synology DS212 NAS box also act as VPN gateway to my companies VPN. Sadly, they only use Cisco ASA and to complicate stuff even further, we've got to use personal certificates (which is of course more secure, but more complicate to get going…).
So I compiled OpenConnect v4.06 from http://www.infradead.org/openconnect/. As a very basic test, I tried to build a connection by manually invoking openconnect, passing along the key and cert files, like so:
/lib/ld-linux.so.3 --library-path /opt/lib \
/opt/openconnect/sbin/openconnect \
--certificate=$VPN_CFG/alexander.crt \
--sslkey=$VPN_CFG/alexander.key \
--cafile=$VPN_CFG/Company_VPN_CA.crt \
--user=alexander --verbose <ip>:443
It fails :(
Attempting to connect to <ip>:443
Using certificate file $VPN_CFG/alexander.crt
Using client certificate '/CN=[email protected]/OU=Company VPN'
5919:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1315:
Loading private key failed (see above errors)
Loading certificate failed. Aborting.
Failed to open HTTPS connection to <ip>
Failed to obtain WebVPN cookie
When I run the same command with the same cert/key files on a Ubuntu 12.04 box, it works:
openconnect \
--certificate=$VPN_CFG/alexander.crt \
--sslkey=$VPN_CFG/alexander.key \
--cafile=$VPN_CFG/Company_VPN_CA.crt \
--user=alexander --verbose <ip>:443
Attempting to connect to <ip>:443
Using certificate file $VPN_CFG/alexander.crt
Extra cert from cafile: '/CN=Company AG VPN CA/O=Company AG/L=Zurich/ST=ZH/C=CH'
SSL negotiation with <ip>
Server certificate verify failed: self signed certificate
Certificate from VPN server "<ip>" failed verification.
Reason: self signed certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on <ip>
GET https://<ip>/
[…]
Well… The error on the NAS is this:
5919:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1315:
Any ideas, what's causing this?
On Syno, I use OpenConnect 4.06. On Ubuntu, I just compiled and installed to a custom location OpenConnect 4.06 as well.
Thanks, Alexander
David Woodhouse
You found the OpenConnect web site already, I see. But please read http://www.infradead.org/openconnect/mail.html more carefully and I'm sure it'll help you answer this question. Sorry you had to wait 6 months for a response here, but you did kind of bring that on yourself...
Ólafur Waage
I've been googling for this for a while now, both for the client itself and a guide how to install the client, with little success.
How can I install the Cisco VPN client on Linux, and where can I get it from?
I have Ubuntu 9.04 and It is stated to be Cisco VPN supported. But when I import the PCF file I get an Error: there were no valid VPN secrets
nhinkle
This has since been answered on our Ubuntu-specific sister site Ask Ubuntu:
How do I install Cisco VPN client?
What is best way to install the Cisco VPN client application in Ubuntu?
There were a lot of low-quality answers and speculation on this post, so I'm going to lock it. Follow the instructions over on Ask Ubuntu, and if you have problems with it, you can always ask for help in a new question here on Super User or on Ask Ubuntu.