Openconnect Cisco Anyconnect
pfSense, as of 2016-03-01, does not support OpenConnect out of the box. However, it’s in the FreeBSD repository, and relatively easy to add:
OpenConnect is a SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. Palo Altos Global Protect will also be supported in future and of course the own OpenConnect Server. I'm using OpenConnect myself and also with a couple of customers to build VPNs to the ASA. All without any problems. When deciding between OpenConnect and AnyConnect, keep in mind that you still need AnyConnect licenses even if you use a third-party client to download an AnyConnect-image to place it on the ASA.
You can now play around with the openconnect command and test your connection.
Next step: Autostart, and adding the tun interface to the pfSense GUI. The GUI will, by default, ignore any interface named “tun*”, while openconnect will refuse to work with any interface not named “tun*”. Brilliant. The easiest workaround for this special case seems to be renaming the VPN interface after creation.
I made a script that automates checking if the connection is up, and (re-)starting it if it is not.
Replace the options in the “settings” section with appropriate values for your setup, and you should be good to go.
The “test” field should be a command that returns 0 when the connection is up, and anything else when it’s broken. I used netcat’s port testing feature on the remote desktop port of a server I needed to be able to connect to, but you can just as easily use things like ping with a limited count or similar.
Next, use crontab -e and add an entry to run the script regularly.
Again, replace the path and timing with your own preferred values.
With the connection established, you can now go ahead and add the interface in the “assignment” tab of the GUI and set up appropriate rules for it.
CAUTION: Adding an interface that’s not available at boot time to the GUI will cause pfSense to think something is wrong on subsequent reboots and ask you to configure interfaces. Mega download for mac. I am not currently aware of a workaround for this, other than to not add the interface, controlling rules directly from the script instead. Please use the workaround below to avoid this issue, and make sure to verify that it works before leaving a pfSense box at a remote site unattended.
Interface boot workaround
The following workaround was offered by “DJC” in the comments section:
- Install “Shellcmd” in PfSense WebConfigurator:
System => Package Manager => Available Packages
Find Shellcmd and INSTALL - Navigate to Shellcmd:
Services => Shellcmd - Add the following item in Shellcmd:
Command: /sbin/ifconfig tun create; /sbin/ifconfig tun0 name ocvpnc1
Shellcmd Type: earlyshellcmd
Description: Create tunnel interface for OVPNC1 at boot
Give any user highly secure access to the enterprise network, from any device, at any time, in any location.
Cisco AnyConnect - Empower your employees to work from anywhere, on company laptops or personal mobile devices, at any time. AnyConnect simplifies secure endpoint access and provides the security necessary to help keep your organization safe and protected.
Gain more insight into user and endpoint behavior with full visibility across the extended enterprise. With AnyConnect's Network Visibility Module (NVM), you can defend more effectively and improve network operations.
Cisco Openconnect Windows
Defend against threats, no matter where they are. For example, with Cisco Identity Services Engine (ISE), you can prevent noncompliant devices from accessing the network. And with Cisco Umbrella Roaming, you can extend protection when users are off the VPN.
Provide a consistent user experience across devices, both on and off premises, without creating a headache for your IT teams. Simplify management with a single agent.
Openconnect Cisco Anyconnect Login
Openconnect Vs Cisco Anyconnect