0

I have the Cisco Annyconnect VPN on my Ubuntu 18.04 machine. I also have an embedded Linux board plugged in that I need to connect to over ssh.

Whenever I connect to my VPN, however, I can no longer talk to my local board (ping 10.1.2.3 fails with the VPN connected, as does ssh [email protected]). How can I disable the VPN for this board only, so that the interface talking to this local board does not go through the VPN?

Example info:

  1. My main Ubuntu machine:
    1. Interface name for the interface connecting to this local Linux board (as shown by ifconfig): enxf8e43b9df776
    2. Static IP to the local Linux board: 10.1.2.1
    3. Netmask: 255.255.255.0
  2. Local embedded Linux board which I need to ssh into:
    1. Static IP address: 10.1.2.3
    2. Netmask: 255.255.255.0

This doesn't work for me: Is it possible to stop using VPN on some application?

I need to be able to use the VPN to connect to some remote networks while simultaneously using my local embedded Linux board.

Possibly useful:

  1. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html
    1. grep -rn 'LocalLanAccess' /opt/cisco
    2. grep -rn '<AnyConnectProfile' /opt/cisco
  2. I need to try this out; this is quite the hack!--building a custom function, C++ name-mangling and all!--and preloading it at the library load time to override the internal function by that name: Super User: How to allow local LAN access while connected to Cisco VPN?
  3. OpenConnect - an alternative to try, which is apparently compatible with Cisco AnyConnect
    1. https://gitlab.com/openconnect/openconnect
    2. http://www.infradead.org/openconnect/

Here are some things I did which did not prove to solve the problem or be useful (at least not yet, anyway):

grep -rn 'LocalLanAccess' /opt/cisco

$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>false</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">false</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="false" minOccurs="0">


cp -i /opt/cisco/anyconnect/.anyconnect_global /opt/cisco/anyconnect/.anyconnect_global.bak
cp -i /opt/cisco/anyconnect/profile/vpn_profile.xml /opt/cisco/anyconnect/profile/vpn_profile.xml.bak
cp -i /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd.bak


manually update all 3 files to true


$ grep -rn 'LocalLanAccess' /opt/cisco
/opt/cisco/anyconnect/.anyconnect_global:15:<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
Binary file /opt/cisco/anyconnect/lib/libvpnapi.so matches
Binary file /opt/cisco/anyconnect/lib/libvpnagentutilities.so matches
/opt/cisco/anyconnect/profile/vpn_profile.xml:15:       <LocalLanAccess UserControllable="true">true</LocalLanAccess>
/opt/cisco/anyconnect/profile/AnyConnectProfile.xsd:325:            <xs:element name="LocalLanAccess" default="true" minOccurs="0">
Gabriel Staples
  • 9,155
  • 1
    This is something you need to ask the Cisco VPN people about. I use ExpressVPN and their product is an all or nothing. I have to stop the VPN to use ssh even internal. It "protects" the machine completely. – David Oct 26 '22 at 05:17
  • What's the output of ip route -n before and after connecting to the VPN? – muru Oct 27 '22 at 05:12

1 Answers1

0

Solved!

Use openconnect via the openconnect-sso wrapper instead! Cisco AnyConnect intentionally blocks LAN access.

Basic usage of openconnect-sso:

VPN_SERVER_ADDRESS="myvpn.whatever.com"   # example server address to connect to
VPN_SAML_GROUP="whatever-saml-whatever"   # example SAML group name
VPN_USER="[email protected]"      # example username
# or perhaps just this for the username:
# VPN_USER="my.username"

connect via openconnect-sso


The first time ever, you must specify everything


openconnect-sso --server "${VPN_SERVER_ADDRESS}/${VPN_SAML_GROUP}" --user "${VPN_USER}"


Subsequent connection attempts can be done with just this, since apparently


the server address, SAML group, and username are cached after the first usage


openconnect-sso

For full details, screenshots, and installation instructions, see my answer here: How to use "openconnect" (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO)

Gabriel Staples
  • 9,155