Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to connect to a Cisco AnyConnect VPN server from the OSX (or Linux) command-line without using the AnyConnect client. Specifically, one which uses VeriSign/Symantec VIP Access dual-factor tokens.

(For Linux users, make sure you have oathtool and openconnect, then start from Step 6. If you don't have a token secret key, have a friend generate one for you on OSX via steps 3-5)

Step 1

Get homebrew and install oath-toolkit, openconnect, and tuntap.
And follow the additional tuntap installation instructions!

Step 2

After the tuntap module is installed, reboot or use kextload to activate it.

Step 3

Use the VIP Access application to provision a token.
(This happens the first time you run it. The token is saved into the keyring at /Users/$USER/Library/Keychains/VIPAccess.keychain, and is obfuscated.)

Step 4

Extract the token's secret key.
(Be sure to use the "v" argument so it prints the key, not just the OTP)

Step 5 (optional)

Get rid of the VIP Access app and its keychain.
(Deleting the VIP Access keychain is also useful if you need to provision a new token - for example on behalf of a friend who wants to use oathtool & openconnect from Linux.)

Step 6

Grab the vpnc-script file.

Step 7 (optional)

Patch vpnc-script to enable manual split-horizon DNS.

Step 8

Grab a CA bundle.

Step 9

Try it out!
Run oathtool --totp YOUR_SECRET_KEY_HERE (or the above script that reads the VIP Access keychain) to get your second-factor code.
Then quickly run sudo openconnect --script ./vpnc-script https://YOUR_SERVER_HERE --cafile=cacert.pem and follow the login prompts.
(sudo is needed else the tun/tap interface stuff wonn't work for permission reasons)

Step 10 (optional)

Script your login using Expect or your favorite automation tool so you don't have to enter all that stuff by hand.
(extra credit: store your secret key and passwords in the OSX system keychain rather than hard-coded into your automation script...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.