Openconnect for Cisco VPN doesn't recognize private key file - asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

Question

I'm trying to use my Synology DS212 NAS box also act as VPN gateway to my companies VPN. Sadly, they only use Cisco ASA and to complicate stuff even further, we've got to use personal certificates (which is of course more secure, but more complicate to get going…).

So I compiled OpenConnect v4.06 from http://www.infradead.org/openconnect/. As a very basic test, I tried to build a connection by manually invoking openconnect, passing along the key and cert files, like so:

/lib/ld-linux.so.3 --library-path /opt/lib \
 /opt/openconnect/sbin/openconnect \
  --certificate=$VPN_CFG/alexander.crt \
  --sslkey=$VPN_CFG/alexander.key \
  --cafile=$VPN_CFG/Company_VPN_CA.crt \
  --user=alexander --verbose <ip>:443

It fails :(

Attempting to connect to <ip>:443
Using certificate file $VPN_CFG/alexander.crt
Using client certificate '/CN=alexander@tech.doma.in/OU=Company VPN'
5919:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1315:
Loading private key failed (see above errors)
Loading certificate failed. Aborting.
Failed to open HTTPS connection to <ip>
Failed to obtain WebVPN cookie

When I run the same command with the same cert/key files on a Ubuntu 12.04 box, it works:

openconnect \
 --certificate=$VPN_CFG/alexander.crt \
  --sslkey=$VPN_CFG/alexander.key \
  --cafile=$VPN_CFG/Company_VPN_CA.crt \
  --user=alexander --verbose <ip>:443
Attempting to connect to <ip>:443
Using certificate file $VPN_CFG/alexander.crt
Extra cert from cafile: '/CN=Company AG VPN CA/O=Company AG/L=Zurich/ST=ZH/C=CH'
SSL negotiation with <ip>
Server certificate verify failed: self signed certificate

Certificate from VPN server "<ip>" failed verification.
Reason: self signed certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on <ip>
GET https://<ip>/
[…]

Well… The error on the NAS is this:

5919:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1315:

Any ideas, what's causing this?

On Syno, I use OpenConnect 4.06. On Ubuntu, I just compiled and installed to a custom location OpenConnect 4.06 as well.

Thanks, Alexander

Answer 1

I had the same problem, and I could solve it by manipulating the private key PEM file a little bit. It contained the usual header and footer boilerplate

"-----BEGIN PRIVATE KEY-----"

"-----END PRIVATE KEY-----"

This was perfectly valid for verification with openssl; I could get sane output from the openssl command.

openssl rsa -in private.key -noout -text

But for openconnect it was not specific enough.

I changed the boilerplate to

"-----BEGIN RSA PRIVATE KEY-----"

"-----END RSA PRIVATE KEY-----"

i.e. I added the "RSA" identifier. (of course without the quotes in the PEM file).

Answer 2

I would recommend that you try connecting to your Cisco AnyConnect network via a normal Linux distribution first, for instance Ubuntu.

$ sudo openconnect http://$gateway/Full-Access --script /etc/vpnc/vpnc-script --user $USERNAME

Is how I login via openconnect to my AnyConnect installation.

You need to install both openconnect and vpnc for this to work.