1

I have a client using a VisualStudio solution to manage their website. In order to make edits, they had to set up a Windows 7 laptop for me, which I have to use to connect to their VPN before being able to access the solution. I am hoping to be able to port the profile over to my MacBook so that I don't have to lug around 2 computers with me.

I copied the XML profile from C:/ProgramData/Cisco/Cisco AnyConnect Secure Mobility Client/Profile over to the corresponding folder on my Mac /opt/cisco/anyconncet/profile and the profile is correctly showing up in AnyConnect on my Mac now. However, when I try to connect to the VPN, I get an error:

Invalid host entry. Please re-enter.

Followed by another error:

The IPsec VPN connection was terminated due to an authentication failure or timeout. Please contact your network administrator.

Is it possible to make this work? Here's an example of what the HostEntry from the profile XML looks like:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
    <ClientInitialization>
        <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
        <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
        <ShowPreConnectMessage>false</ShowPreConnectMessage>
        <CertificateStore>All</CertificateStore>
        <CertificateStoreMac>All</CertificateStoreMac>
        <CertificateStoreOverride>true</CertificateStoreOverride>
        <ProxySettings>IgnoreProxy</ProxySettings>
        <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
        <AuthenticationTimeout>12</AuthenticationTimeout>
        <AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
        <MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect>
        <LocalLanAccess UserControllable="false">true</LocalLanAccess>
        <DisableCaptivePortalDetection UserControllable="false">true</DisableCaptivePortalDetection>
        <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
        <IPProtocolSupport>IPv4</IPProtocolSupport>
        <AutoReconnect UserControllable="false">false</AutoReconnect>
        <AutoUpdate UserControllable="false">true</AutoUpdate>
        <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
        <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
        <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
        <PPPExclusion UserControllable="false">Disable
            <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
        </PPPExclusion>
        <EnableScripting UserControllable="false">false</EnableScripting>
        <EnableAutomaticServerSelection UserControllable="false">false
            <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
            <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
        </EnableAutomaticServerSelection>
        <RetainVpnOnLogoff>false
        </RetainVpnOnLogoff>
        <AllowManualHostInput>true</AllowManualHostInput>
    </ClientInitialization>
    <ServerList>
        <HostEntry>
            <HostName>MY GATEWAY</HostName>
            <HostAddress>sub.domain.com</HostAddress>
            <UserGroup>MyUserGroup_IKEv2</UserGroup>
            <BackupServerList>
                <HostAddress>othersub.domain.com</HostAddress>
            </BackupServerList>
            <PrimaryProtocol>IPsec
                <StandardAuthenticationOnly>false</StandardAuthenticationOnly>
            </PrimaryProtocol>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

And here's my preferences_global.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>sub.domain.com</DefaultHostName>
<DefaultHostAddress>1.1.1.1:443</DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
user13286
  • 111
  • 1
  • 3
  • What authentication method is it using? Maybe you’re missing a required certificate or something. Do you use a username and password to connect? – Appleoddity Jun 13 '18 at 23:53
  • @Appleoddity Unfortunately I don't know much about AnyConnect or VPNs in general, so I'm not sure what authentication method it is using. Yes, I use a username/password to connect on the Windows laptop, but when I try to connect on my Mac, it doesn't even get to the username/password prompt before giving me the errors above. How would I know if it requires a certificate/is it possible to copy the certificate over? – user13286 Jun 14 '18 at 14:35
  • 1
    It should be defined in the rest of the profile XML, but you didn't provide that section. There might also be a clue in the preferences_global.xml in `\programdata\cisco\cisco anyconnect secure mobility client`. – Appleoddity Jun 14 '18 at 14:40
  • Certificates used will probably be in Certificates MMC under the personal store for either the Computer or User. The properties of one of them would probably be related to the company you are connecting to. It may or may not be exportable, depending on how they were configured when installed. – Appleoddity Jun 14 '18 at 14:41
  • Thank you for the help thus far, I have updated the question to include the rest of the profile as well as the contents(modified) of my `preferences_global.xml` file. – user13286 Jun 14 '18 at 14:48
  • 1
    Thank you. I'm not positive about this, but it looks like the certificate related settings in the profile XML were deliberately put there, meaning you probably do have a certificate to connect. It might be two factor. First the certificate, followed by a username and password. You need to check your certificate store like I mentioned previously. Use Certificates MMC: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in Look for any company related certificates in your personal store for the computer or user. – Appleoddity Jun 14 '18 at 15:06
  • I'm curious, any reason you haven't asked the company to work with you to install this on your Mac? – Appleoddity Jun 14 '18 at 15:07
  • 1
    Being able to export a certificate is a security risk so it's not likely you will be able to. The certificates are issued by the company to the specific machine. It's a security thing. If that is the case, it's not possible for you to put this on the Mac without their support. – Appleoddity Jun 14 '18 at 15:09
  • Unfortunately my contact at the company is technologically illiterate, so I'm basically on my own. I will poke around in the certificates. Thanks again for your help! – user13286 Jun 14 '18 at 15:12

0 Answers0