Juniper SSL VPN support
David Woodhouse
dwmw2 at infradead.org
Mon Jan 26 06:17:46 PST 2015
The HEAD of the OpenConnect git tree now contains basic support for the
Juniper SSL VPN which is ready for more widespread testing.
At a high level, this works very similarly to Cisco AnyConnect. The
authentication happens first with HTTP form submissions, eventually
resulting in an HTTP cookie which represents the session.
The actual connection is then made in a second stage, to the same HTTPS
service. Data packets can be transferred over the TCP connection but
there is a UDP data transport too which is used where possible.
The details are different — it's ESP instead of DTLS for the UDP data
transport, for example, and the TCP protocol appears to be fairly
baroque and horrid (and has a mixture of big-endian and little-endian),
but basically it's quite simple.
We now have support for data transport over both TCP and UDP, and
configuration of Legacy IP and split-include routing. There's a little
more work to be done on the remainder of the configuration, and so far I
haven't been able to test IPv6. We also lack support for compression
(which is LZO — there's an LGPL-compatible decompressor in libavutil,
but no compressor that I'm aware of. But I think it's OK just to send
uncompressed for now, as long as we can decompress what the server sends
us).
There are some details I haven't yet implemented — including
reconnecting the TCP socket if it gets disconnected, and logging off
cleanly to clear the session cookie. And keepalive on the UDP transport.
But those will come relatively soon.
The main area that needs work is authentication. While Cisco uses a
fairly simple XML schema for its authentication forms, with Juniper you
are expected to use a fully-functional web browser. We have HTML forms
which require JavaScript and Java (for the 'Host Checker') and all kind
of other horridness. Server admins can basically screw with the HTML
authentication setup as much as they like, even putting additional new
forms in the sequence which we don't recognise at all.
So far, OpenConnect only has basic support for interpreting the most
simple of these forms. If you are only asked for a username and
password, you're probably fine. If you have to run the Host Checker Java
tool, it can just about manage to cope with that too with an appropriate
--csd-wrapper.
For now, the more compatible option is Russ Dill's juniper-vpn.py from
https://github.com/russdill/juniper-vpn-py which will perform the
authentication slightly more capably and then just invoke 'openconnect
-C' to make the connection. We'll work on getting the functionality of
that script into OpenConnect natively.
There are still things that even Russ's script still can't handle, and
you might even need to run in a web browser with something like the Live
HTTP Headers plugin, and steal the DSID cookie that gets assigned when
you authenticate successfully. Then invoke OpenConnect with that, for
example:
openconnect -v -v $SERVER -C "DSID=xxx"
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150126/a93c39d2/attachment.bin>
More information about the openconnect-devel
mailing list