Migrating from CiscoVPN to Viscosity

Got a problem with Viscosity or need help? Ask here!

Mike1

Posts: 2
Joined: Thu Jul 31, 2014 5:57 pm

Post by Mike1 » Thu Jul 31, 2014 7:22 pm
Hi,

I've been using the free CiscoVPN Client (not AnyConnect), which is prescribed by my university for connecting to the univ's VPN. This has always worked well, expect that I migrated from Leopard to Mavericks and the free CiscoVPN Client requires 32bit, and will definitively not work on Mavericks (OS X 10.9.4), so this route seems closed. Now I'm looking to Viscosity for a solution but have not been able to make it work... no surprise since I'm a VPN Noob :-) Here's the situation:

I have two certificates by the university IT department, which I generated through an online interface. These are named cert.p12 and certnew.p7b. Some extra info regarding the certificates - having fiddled with OS X internal VPN Client, I had to import the p12 into the Keychain Access (so it could be accessed in the Network configuration UI). This allowed me to realize that the systems considers the certificate to be signed by an unknown authority, makes sense, it's the IT department. As a side note I did tell OS X to "Always Trust" the certificate when using it, but no success!

Back to Viscosity. After some trial and error, the best (?) configuration I seem to have made is:
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name VPN ISCTE
remote THE_VPN_ADDRESS_IS_OK PORT_IS_OK_TOO udp
persist-key
auth-user-pass
comp-lzo no
tls-auth ta.key
pull
ca ca.crt
dev tun
persist-tun
tls-client
nobind
pkcs12 pkcs.p12
My connection log is (copied from Details dlgbox):
Code: Select all
Jul 31 10:18:00: Viscosity Mac 1.4.10 (1175)
Jul 31 10:18:00: Viscosity OpenVPN Engine Started
Jul 31 10:18:00: Running on Mac OS X 10.9.4
Jul 31 10:18:00: ---------
Jul 31 10:18:00: Checking reachability status of connection...
Jul 31 10:18:01: Connection is reachable. Starting connection attempt.
Jul 31 10:18:03: OpenVPN 2.3.4 i386-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun  6 2014
Jul 31 10:18:19: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jul 31 10:18:25: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 31 10:18:25: Cannot load CA certificate file ca.crt (no entries were read) (OpenSSL)
This has lead me as far as being prompted for my username and password, and then I prompted again by OpenVPN for my password, after which the connection is disconnected.
Any thoughts on how this could be solved?
TIA

Mike1

Posts: 2
Joined: Thu Jul 31, 2014 5:57 pm

Post by Mike1 » Fri Aug 01, 2014 7:59 pm
Hi,

I've been fiddling and googling a bit. Some things seem to be wrong in my configuration, so I made some changes. Here's the new config and its results:
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name VPN ISCTE
remote THE_VPN_ADDRESS_IS_OK PORT_IS_OK_TOO udp
persist-key
auth-user-pass
comp-lzo no
#tls-auth ta.key
pull
#ca ca.crt
dev tun
persist-tun
tls-client
nobind
pkcs12 pkcs.p12

# Added by me:
remote-cert-tls server
Comments on config changes
  • The first log says ca.cert is not loaded, so I just commented out "ca ca.cert"
  • Excluding ca.cert lead to an error "Key file ('ta.key') can be a maximum of 2048 bytes", so I commented out "tls-auth ta.key"
  • Believing the option "remote-cert-tls server" tells OpenVPN that the ca.crt is on the server I included this line, and got rid of warning "No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
With these changes, handshake fails and goes on a loop trying to pass:
Code: Select all
Aug 01 10:17:31: Viscosity Mac 1.4.10 (1175)
Aug 01 10:17:31: Viscosity OpenVPN Engine Started
Aug 01 10:17:31: Running on Mac OS X 10.9.4
Aug 01 10:17:31: ---------
Aug 01 10:17:31: Checking reachability status of connection...
Aug 01 10:17:31: Connection is reachable. Starting connection attempt.
Aug 01 10:17:34: OpenVPN 2.3.4 i386-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun  6 2014
Aug 01 10:17:47: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 01 10:17:47: UDPv4 link local: [undef]
Aug 01 10:17:47: UDPv4 link remote: [AF_INET]PROPER_IP_ADDRESS:PROPER_PORT
Aug 01 10:18:47: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 01 10:18:47: TLS Error: TLS handshake failed
Aug 01 10:18:47: SIGUSR1[soft,tls-error] received, process restarting
Aug 01 10:18:57: UDPv4 link local: [undef]
Aug 01 10:18:57: UDPv4 link remote: [AF_INET]PROPER_IP_ADDRESS:PROPER_PORT
Aug 01 10:19:57: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 01 10:19:57: TLS Error: TLS handshake failed
Aug 01 10:19:57: SIGUSR1[soft,tls-error] received, process restarting
Aug 01 10:20:07: UDPv4 link local: [undef]
Aug 01 10:20:07: UDPv4 link remote: [AF_INET]PROPER_IP_ADDRESS:PROPER_PORT
Aug 01 10:21:07: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 01 10:21:07: TLS Error: TLS handshake failed
Aug 01 10:21:07: SIGUSR1[soft,tls-error] received, process restarting
Any thought on how to proceed?
Txs

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sat Aug 02, 2014 7:15 am
Hi Mike1,

Viscosity supports OpenVPN servers: it does not support Cisco AnyConnect or Cisco IPSec servers. From what you describe it sounds like your IT department has given you a certificate/key for IPSec certificate authentication, rather than the files you need to use OpenVPN.

If your IT department does have OpenVPN servers that you can connect to, they should be able to provide you with an configuration file that can be imported directly into Viscosity.

For more information please see:
https://www.sparklabs.com/viscosity/int ... sviscosity

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ssomsen

Posts: 1
Joined: Sat Dec 17, 2016 12:44 am

Post by ssomsen » Sat Dec 17, 2016 12:48 am
James,

Adding support for Cisco IPSec would be a major improvement and make the client really interesting for us, especially now that Cisco has ceased supporting its own client on Windows 10....


Sjoerd

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Dec 20, 2016 10:37 am
Hi Sjoerd,

Thanks for the feedback - much appreciated.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
5 posts Page 1 of 1