pfSense, as of 2016-03-01, does not support OpenConnect out of the box. However, it’s in the FreeBSD repository, and relatively easy to add:
Cisco AnyConnect Woes Sorry to ask this slightly blindly, but has anyone had issues using Cisco AnyConnect SSL-VPN behind pfSense firewall? I've got a fresh out of the box config with pfSense and once I connect to my employer's anyconnect client, I can no longer access any public site via DNS.
Azure Multi-Factor Authentication Server (Azure MFA Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco® ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. OpenConnect is a SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. Palo Altos Global Protect will also be supported in future and of course the own OpenConnect Server.
You can now play around with the openconnect command and test your connection.
Next step: Autostart, and adding the tun interface to the pfSense GUI. The GUI will, by default, ignore any interface named “tun*”, while openconnect will refuse to work with any interface not named “tun*”. Brilliant. The easiest workaround for this special case seems to be renaming the VPN interface after creation.
I made a script that automates checking if the connection is up, and (re-)starting it if it is not.
Replace the options in the “settings” section with appropriate values for your setup, and you should be good to go.
The “test” field should be a command that returns 0 when the connection is up, and anything else when it’s broken. I used netcat’s port testing feature on the remote desktop port of a server I needed to be able to connect to, but you can just as easily use things like ping with a limited count or similar.
Next, use crontab -e and add an entry to run the script regularly.
Again, replace the path and timing with your own preferred values.
With the connection established, you can now go ahead and add the interface in the “assignment” tab of the GUI and set up appropriate rules for it.
CAUTION: Adding an interface that’s not available at boot time to the GUI will cause pfSense to think something is wrong on subsequent reboots and ask you to configure interfaces. I am not currently aware of a workaround for this, other than to not add the interface, controlling rules directly from the script instead. Please use the workaround below to avoid this issue, and make sure to verify that it works before leaving a pfSense box at a remote site unattended.
Cisco Anyconnect Download
Interface boot workaround
The following workaround was offered by “DJC” in the comments section:
Cisco Anyconnect Download Windows 10
- Install “Shellcmd” in PfSense WebConfigurator:
System => Package Manager => Available Packages
Find Shellcmd and INSTALL - Navigate to Shellcmd:
Services => Shellcmd - Add the following item in Shellcmd:
Command: /sbin/ifconfig tun create; /sbin/ifconfig tun0 name ocvpnc1
Shellcmd Type: earlyshellcmd
Description: Create tunnel interface for OVPNC1 at boot