The apparently misleading error The AnyConnect package on the secure gateway could not be located... means AnyConnect does in fact use the certificate, which you wanted it to use.
If your goal is to have the VPN connection work as expected, this is not a problem with proper installation of your certificate for AnyConnect to use.
How to make the VPN connection actually work in this case is below the answer to your initial question.
The answer to your question:
AnyConnect checks various locations for certificate files, including those used by web browsers.
What complicates the issue is that there are different types of certificate files to check for, and all should go into directories dedicated for their kind for AnyConnect to see them.
To manually install the certificate in a location where AnyConnect expects it to find
in your case do this:
openssl pkcs12 -in source.pfx -out exported.pem -nokeysopenssl pkcs12 -in source.pfx -out exported.key -nocertsUse the same name beginning for .pem and .key files.
It will ask you for the .pfx file pass to get both the .pem and .key files.
It will ask you to set up a pass for the .key file. There should be a pass repeat prompt and no errors.AnyConnect will ask for this pass after pressing connect button, but before showing login/pass fields for connection authentication.
Either in your user home directory or /opt create these dirs:
.cisco/certificates/client.cisco/certificates/client/privateYou have to create these manually. AnyConnect's installer creates only the /opt/.cisco/certificates/ca directory.
Put the .pem file in the first directory created manually, and the .key file in the second one.
Now AnyConnect should be able to use these as expected, provided all directories and files have correct access rights.
These dirs are mentioned somewhere in Cisco's documentation (Create a PEM Certificate Store for Mac and Linux).
Don't be surprised to see the same error The AnyConnect package on the secure gateway could not be located.... Read below.
How to make the VPN connection actually work the way you want it to:
In my case only using OpenConnect with the same keyfiles worked so far:
Create .pem and .key files as described above,
do steps 4th and 5th from this site
which are:
apt-get install network-manager-openconnect-gnomeopen Netwok Connections, go to VPN tab, click new
select Cisco AnyConnect Compatible VPN (openconnect)
Gateway: [vpn.yourcompany.com]
User Certificate: [select your exported.pem]
Private key: [select your exported.key]
and now try connecting
(through network connection applet visible next to clock on screen should work just fine)
it worked for me on xubuntu 14.04
Why does AnyConnnect not work but OpenConnect does?
from /var/log/syslog I found that AnyConnect tries to download something from the server on the other side but gets 404 error several times and thus fails:
(...) acvpnui (...) Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400) HTTP status code received 404
This error message means that AnyConnect tries to get something from the server on the other side, after having successfully authenticated, and disconnects because the file (apparently necessary for it to work) is not available.
It looks like OpenConnect does not need this file.