MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.
The VPN client was unable to successfully verify the IP forwarding table modification. A VPN connection will not be established. |
I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables. This was on 4.6.x. Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect. It was totally worth it, here is why and how to set it up.
PreReqs:
Installing OpenConnect:
- Launch MacOS Terminal
- brew install openconnect
The information is typically located in your profile xml files located here:
/opt/cisco/anyconnect/profile/somethingsomething.xml
In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry. These are your VPN endpoints that you would need to pass to openconnect.
Using OpenConnect:
For the sake of simplicity right now, you would now just type in your MacOS Terminal:
- openconnect https://typicallyaDNSName.com
Optional/Alternative OpenConnect:
- brew cask install openconnect-gui
Stoken
Some extra interesting things you can do w/ openconnect is integrate it w/ you RSA token using a tool called stoken. To install, use brew once again.
- brew install stoken
OpenConnect sudo bypass
OpenConnect requires elevated privileges to run. You can bypass this requirement by augmenting your sudoers configuration. To do this safely, recommend you use visudo to create your customizations. I created two config files. One for an alias and one granting my account the ability to run that alias w/o a password.
- sudo visudo /etc/sudoers.d/openconnect
- Cmnd_Alias OPENCONNECT = /usr/local/bin/openconnect
- Above assumes you installed via brew. Path would be different if it was installed by other means.
- sudo visudo /etc/sudoers.d/sudouser
- yourusername ALL=(ALL:ALL) NOPASSWD: OPENCONNECT
VPN-SLICE
This is a niche tool, but is useful if you happen to connect to different VPNs or sshuttle connections throughout the day.
- brew install vpn-slice
- openconnect https://yourvpnserverEndpoint -s 'vpn-slice my.intranet.local another.intranet.local'
Comments