opensource counterpart to anyconnect server?
David Woodhouse
dwmw2 at infradead.org
Wed Jan 4 20:31:44 EST 2012
On Wed, 2012-01-04 at 19:37 -0500, KEN YAP wrote:
> I'm sure this must have been asked before, but is there an open source
> anyconnect *server* complementing openconnect client? I couldn't find
> anything with a search. This protocol is easier to deploy than openvpn
> due to the ability to tunnel via https. Is the protocol patent
> encumbered by Cisco or something like that?
I don't believe there are any patents covering the protocol. Even in the
corrupt and widely-abused US patent system, there's nothing in it that
could be patentable — it's all *entirely* obvious and trivial.
At http://redmine.lighttpd.net/issues/2060 there is a patch to lighttpd
which makes it support the CONNECT request that the AnyConnect protocol
uses to make the actual connection.
The other interesting part for the VPN itself is making sure OpenSSL can
support the speshul non-standard version of DTLS that Cisco uses, in
server mode as well as client mode.
Then it's just a matter of hooking up the authentication parts with
forms and cert checking as required, and issuing IP addresses. You'll
probably end up wanting to make it talk RADIUS.
I do have a dirty hack which I use for testing, but it's not even worth
sharing. It addresses none of the real issues that you'll have; it's
just a simple loop spawned from inetd, which checks for a hard-coded
cookie and then just opens a pre-configured tun device and passes
packets back and forth.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120105/7d2b953e/attachment.bin>
More information about the openconnect-devel
mailing list