Cisco AnyConnect IP phones to openvpn server ?

Dieselboy · May 21, 2018, 04:32:48 AM

I have some anyconnect phones (8945). I dont have a proper SSL VPN server (such as ASA or IOS router). I tried but have been unable to get my anyconnect laptop software connecting to an openvpn server I set up as a test. The issue seems to be openvpn wants certificates to be involved. In the case of cisco phone, the phone can send a Cisco cert or I can have the user prompted for username and password. I would want to try the 2nd option (not ideal but want to see if it works).

I thought I could use any SSL VPN server, but I think openvpn is out because of client cert has to be subordinate of server cert. Which isnt possible with cisco phone. When I try connecting with anyconnect software the software complains there's no cert. So seems though the server is always expecting cert.

Can anyone with more experience confirm this? And may be suggest some open source software to run a SSL VPN for authenticating client with username and pass?

dlots · May 22, 2018, 09:51:04 AM

Is this just for testing? Or is it going into production?

If it's just for testing you can probably setup a virtual ASA in GNS3

Dieselboy · May 22, 2018, 08:42:01 PM

Was looking at production. Bit of a weird request, I know.

I spent all day on this yesterday, reading docs and following some examples online and adding what I had learnt from the docs. I found that yes, we can authenticate the client by username and password only but the next problem is openvpn is either TCP or UDP only. Unlike Cisco's SSL VPN where the authentication is done on TCP and then a DTLS UDP data channel is opened up.

So I thought some more and I think it's best to run a VPN from an upstream device like a router and then the phone will simply do SCCP only to CUCM. I could splash out and set up a asav or csr virtual router, but the minimum specs for those is overkill for me. This in turn makes it expensive for licensing and cloud VM running costs. At the moment I literally have three telephones that I want to connect to a VPN in the cloud. I have another idea, so going to look into that today.

Thanks for the information dlots

deanwebb · May 25, 2018, 09:18:23 AM

Would you have the same issues with softphones running on PCs that had their own VPN sessions running?

Dieselboy · May 28, 2018, 01:49:31 AM

Thanks for the suggestion but at the moment yes as the VPN server is on complete opposite sides of the globe

. The goal is to get the RTP routing to the ITSP as close to the users as possible (ie at least in the same country as both the users and the ITSP). My 'other idea' is looking really promising. I'll post up some more about it once it's finished.

deanwebb · May 29, 2018, 08:24:34 PM

"Other idea"... ?

Dieselboy · May 29, 2018, 08:42:58 PM

I've bought a couple of cigarette packet-sized firewall / routers. From that device I can use openvpn. Behind that device lives the phone which wont use anyconnect any longer

deanwebb · May 30, 2018, 07:04:13 AM

Well, that satisfies the technical requirements, but does it satisfy the security requirements.

In other words, are those devices on any critical vulnerability announcements for Home / Small Office router compromises?

Dieselboy · May 30, 2018, 09:38:56 PM

I have thought about that. When they arrive I'll do some sherlock holmes type investigative work. But they will not be internet facing (the WAN port will plug into the users home LAN) and will be running a 'deny all' firewall so I am expecting that to be sufficient. But will check it out anyway.