The old Cisco VPN client software is unable to do modern encryption at any acceptable level (it is limited to diffie helman group 5 which is disabled in recent versions of ASA firmware) so it won’t work at all.
A modern alternative for Linux is to use Libreswan. I noodled out the configuration required and installed it on an Almalinux 9 but Rocky, and RHEL should be very similar. Ubuntu and Debian distros should be pretty similar but will have slightly different service scripts and file locations, I would guess. Here is the guide I built from my process.
Install libreswan using Yum or DNF
# sudo yum install libreswan -y
# sudo ipsec setup start
# sudo systemctl enable ipsec.service
# sudo vi /etc/ipsec.conf
# Add a line under the big section of comments:
ikev1-policy=accept
Save/write that file and verify the config and ipsec service status:
# sudo ipsec verify
It may show some warnings but no failures, hopefully
Create the secrets file with a meaningful name such as vpngroupnameremote.secrets file for the group name and preshared key and if you want you can add your username and password for user authentication, otherwise it will make you enter your password each time. Use the 2 lines following the vi command below, or omit the second line if you want to be prompted for your password every time it connects. (replace Your Actual PreShared Key, yourusername and Your Actual Password with the correct stuff). The nameĀ vpngrounameremote should match the VPN Group name as configured in the Cisco ASA firewall for the IPSec VPN configuration.
# sudo vi /etc/ipsec.d/vpngroupnameremote.secrets
@vpngroupnameremote %any : PSK “Your Actual PreShared Key”
@yourusername: XAUTH “Your Actual Password”
# sudo ipsec auto –rereadsecrets
Now create the config file for the VPN connection profile with the text that follows the vi command below. (replace yourusername with the correct username)
# sudo vi /etc/ipsec.d/vpngroupnameremote.conf
conn vpngroupnameremote
type=tunnel
ikev2=never
left=%defaultroute
leftxauthclient=yes
leftid=@vpngroupnameremote
leftxauthusername=yourusername
leftmodecfgclient=yes
right=[IP Address or Hostname of the ASA Firewall]
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
aggrmode=yes
authby=secret
remote-peer-type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
salifetime=24h
ikelifetime=24h
dpdaction=restart
dpdtimeout=60
dpddelay=30
rekey=yes
auto=add
Now have the ipsec service ingest the new configuration and restart the service:
# sudo ipsec auto –add vpngroupnameremote
# sudo /bin/systemctl restart ipsec.service
Have the ipsec service attempt to bring up the tunnel:
# sudo ipsec auto –up vpngroupnameremote
Hopefully that should get the VPN connection going from the command line. If you encounter problems, you might need to make sure your firewall on the linux computer allows outbound connections to the IP address or hostname of the Cisco ASA you are trying to connect to so the connection will not be blocked.
I would guess that a lot of the basic stuff there will translate to using Libreswan on any other modern Linux distro so hopefully that helps.