I outlined much of this in a previous blog post, but since things are slightly different (or at least were for me) on Ubuntu 10.04, I figured I’d do a follow-up while it was fresh in my mind. Note that if you’re on 32-bit Ubuntu AnyConnect works out of the box so you don’t need to do any of these steps. The issue is that there is no native 64-bit AnyConnect client for Linux so you have to install some 32-bit libraries and point AnyConnect to some libraries from Firefox to get things working.

The basic procedure remains the same as in my previous post, but I had to install some additional libraries and do things in a slightly different order this time around.

1. Download the AnyConnect installer from your VPN server or get a copy from your VPN administrator. (Why these clients aren’t freely available I have no idea. You can only connect to something that someone paid Cisco for, so I’m not sure why the clients can’t just be out in the wild. If you Scroogle around you may find some download links here and there but of course use at your own risk if you don’t get the client from an authorized source.)
2. Do a chmod +x on the installer (which for me was called vpnsetup.sh) and then run the installer using sudo. This will throw a couple of errors but they can safely be ignored.
3. Install ia32-libs and lib32nss-mdns

   • sudo apt-get install ia32-libs lib32nss-mdns

4. Download a fresh copy of Firefox, expand, and move to /usr/local

   • I downloaded to my Downloads directory, expanded there, and did sudo cp -R firefox /usr/local

5. Do a cd into /usr/local/firefox and create symlinks for the Firefox libraries in /opt/cisco/vpn/lib as follows:

   • sudo ln -s libnss3.so /opt/cisco/vpn/lib/libnss3.so
   • sudo ln -s libplc4.so /opt/cisco/vpn/lib/libplc4.so
   • sudo ln -s libnspr4.so /opt/cisco/vpn/lib/libnspr4.so
   • sudo ln -s libsmime3.so /opt/cisco/vpn/lib/libsmime3.so
   • sudo ln -s libsoftokn3.so /opt/cisco/vpn/lib/libsoftokn3.so
   • sudo ln -s libnssdbm3.so /opt/cisco/vpn/lib/libnssdbm3.so
   • sudo ln -s libfreebl3.so /opt/cisco/vpn/lib/libfreebl3.so
   • sudo ln -s libnssutil3.so /opt/cisco/vpn/lib/libnssutil3.so
   • sudo ln -s libplds4.so /opt/cisco/vpn/lib/libplds4.so
   • sudo ln -s libsqlite3.so /opt/cisco/vpn/lib/libsqlite3.so

6. Start the VPN daemon: sudo /etc/init.d/vpnagentd_init start (If it doesn’t start without errors, double-check all your symlinks.)
7. Launch AnyConnect. You should have a launcher under Applications -> Internet, but If not you can launch it from /opt/cisco/vpn/bin/vpnui using your normal user account (i.e. not using sudo).

After AnyConnect launches you can enter your VPN server address, accept the certificate, and log in as per usual.

I’ve been using vpnc as my VPN client on Ubuntu for quite some time now, but vpnc allows for split tunneling (meaning I’m on the VPN but I can still access my local network), and, well, let’s just say some network security folks don’t like that. 😉 I looked into disabling split tunneling on vpnc and I didn’t find any conclusive answers, so it was time to look for an alternative VPN client for Cisco VPNs.

Cisco AnyConnect is a VPN client that can (in theory) be installed from a web browser on any operating system, provided your VPN server is configured to support it. If you want to check, hit your VPN server in a browser. If you see a login screen, log in with your normal VPN credentials and you should be able to install AnyConnect from there.

All isn’t rosy with this picture on Linux, however. The browser-based install doesn’t work (or didn’t for me at least), and while you can download a Linux version of the installer, the installer runs fine but the client throws some errors when you attempt to connect to your VPN. Specifically in my case it was throwing a “no valid certificates” error or something along those lines. As usual there’s a relatively simple solution, but it took some digging.

AnyConnect relies on libraries that are distributed with Firefox, but AnyConnect expects these libraries to be located under /usr/local/firefox. On Ubuntu they’re located elsewhere so AnyConnect chokes when it’s trying to connect.

Once you have AnyConnect installed, go through the following steps to get things working. Also make sure the daemon is running; check using ps -ef | grep vpn and if it isn’t running, do sudo /etc/init.d/vpnagentd_init start to fire that up.

1. Download Firefox from mozilla.com. Yes, I know, you already have it installed, but download a fresh copy anyway. Although you may be able to leverage your existing copy, I went this route just to be sure nothing interfered with the copy I use all day every day. I read some things that seemed to indicate you needed to get the 32-bit version if you’re on a 64-bit OS, but that wasn’t the case for me. I suppose if you have a 32-bit version of AnyConnect you’d want to get the 32-bit version of Firefox.
2. Untar Firefox into /usr/local/firefox
3. Create symlinks in /opt/cisco/vpn/lib to the following files, all of which are located in /usr/local/firefox:
   libnss3.so
   libplc4.so
   libnspr4.so
   libsmime3.so
   libsoftokn3.so
   libnssdbm3.so
   libfreebl3.so
   libnssutil3.so
   libplds4.so
   libsqlite3.so
   (Thanks to casevh in this thread for the list of libraries)
4. Launch AnyConnect (/opt/cisco/vpn/bin/vpnui). From what I read you should not be launching AnyConnect as root or by using sudo.
5. After the client launches, enter the host to which you want to connect.
6. Accept the certificate provided by the server.
7. Enter your user name and password as you normally do.

That’s it–you should be in. Note that if you’re used to using a profile file with a different VPN client, AnyConnect (at least based on my 1/2 day of experience) seems to work differently, so a user name and password should be all you need. If you’re using a SecurID token of course you’ll use that as your password.