How To - use OpenConnect and Cisco ASA Firewall with untrusted Certificate

Written by Kolja Knispel , IGEL COMMUNITY MEMBER

This use case worked only at the Commandline, were ist was possible to accept an untrusted certificate, coming from the Cisco ASA and manually choose an VPN UserGroup.

This was not possible in the OpenConnect GUI. So Konstantin Fritzenwallner created a Script written in a profile.

The Profile has adjustable environment variables for the Certificate Hash and the Authgroup. You can see the hash of an Certificate with this command:

openssl x509 -fingerprint -noout -in /wfs/zert.pem | sed 's/://g'

OR

in a Browser (deleting the ":") So it workes also in the GUI.

You can find the clean profile below. Please be aware that this is not officially supported by IGEL.

Read more here: https://igelcommunity.slack.com/archives/C9XFWLXA8/p1681744426946219?thread_ts=1681744426.946219&cid=C9XFWLXA8