Compatibility with juniper ssl vpn ?

Guillaume Rousse Guillaume.Rousse at inria.fr
Tue Dec 28 05:06:12 EST 2010


Le 27/12/2010 17:49, David Woodhouse a écrit :
> You'll have to start by showing us how the Juniper VPN works. Can you
> show the traffic between client and server? Is it HTTP-based? Can you
> point it at your own server or SSL MiTM proxy and show what it's
> actually doing?
OK, here is what I know about it (I can ask my network colleagues for
details if needed).

For the end-user, it works exactly like Cisco solution: web based
interface only for http tunneling, and 'automatic' deployment of a
native binary for other kind of network traffic.
http://mad-scientist.us/juniper.html has a few screenshot of the
interface, and additional informations about it.

The binary is setuid, and creates a tun interface for vpn traffic. From
ldd and strings output, it seems to be statically linked with openssl. I
made it available as http://www.zarb.org/~guillomovitch/ncsvc

Here is a network capture of a failed attempt to create the VPN. I'm a
bit relunctant to post the successful attempt capture publicly, even if
it seems to be https-only at first glance.

I'd gladly try to set up an SSL proxy, but I'd need additional
informations for this. I quickly checked openssl man page, it doesn't
seem to be possible with it. However, googling point me to
http://crypto.stanford.edu/ssl-mitm/. Is that the way to go ?

-- 
BOFH excuse #197:

I'm sorry a pentium won't do, you need an SGI to connect with us.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: password.nok
Type: application/octet-stream
Size: 16049 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20101228/dec0e31c/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4251 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20101228/dec0e31c/attachment-0001.p7s>


More information about the openconnect-devel mailing list