"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
There may be several reasons for this error, which you'll find on other pages that hit for a search on this string.
The reason that I encountered seems to be unique. What I found by digging into a wireshark capture is that AnyConnect sends a TLS alert to the server, disconnecting the session. The alert message says "Unknown CA".
It could have something to do with installing the firefox plugin "Certificate Patrol" recently. AnyConnect apparently uses firefox's certificate store. Perhaps Certificate Patrol does something to the store that makes it so that AnyConnect can no longer use it?
In case it matters, I'm on Ubuntu 10.04.
Whatever the cause, you can fix it by doing the following (Edit: see also a simpler method in a comment by Nathan below):
Figure out the CA that signs your VPN server's certificate. (Hat tip to Didier Stevens for the easy way to do this.)
- Fill in your server, I'm going to use www.google.com.
openssl s_client -connect www.google.com:443 >! /tmp/google
- Hit ctrl-C.
- You saw "Thawte Consulting (Pty) Ltd.".
Now search for "thawte root certificate". (Obviously this will vary depending on who signs your server's certificate.)
- Go to the page where they list certificates. Download them all. (I tried downloading the one that looked like it matched the signature on my server's certificate, but I think you need everything down to the root in order to fully verify it. It's easier to just download everything than try to figure out exactly which ones are needed.)
Convert to PEM format. (Hat tip to Mozekoze for this recipe.)
openssl x509 -in input.crt -out input.der -outform DER ## (if the certs are in .crt format)
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
Copy all the PEM files to /opt/.cisco/certificates/ca. (Or to ~/.cisco/certificates/ca.)
Alternatively, you could copy the certs out of the keystore on your
machine, convert to PEM, and then copy the PEMs into the directory
mentioned above. (On ubuntu, you can see the certificates in the package
ca-certificates. You could copy just the thawte certs by doing something
cp $(dpkg -L ca-certificates | grep -i thawte)
Three cheers for wireshark, strace, openssl, and google for help figuring out what was going on. Cisco could make things a little bit easier to figure out -- a decent diagnostic message would have been great -- just tell the user "Unknown CA", it's already buried in the wireshark trace.