The HEAD of the OpenConnect git tree now contains basic support for the Juniper SSL VPN which is ready for more widespread testing. At a high level, this works very similarly to Cisco AnyConnect. The authentication happens first with HTTP form submissions, eventually resulting in an HTTP cookie which represents the session. The actual connection is then made in a second stage, to the same HTTPS service. Data packets can be transferred over the TCP connection but there is a UDP data transport too which is used where possible. The details are different ? it's ESP instead of DTLS for the UDP data transport, for example, and the TCP protocol appears to be fairly baroque and horrid (and has a mixture of big-endian and little-endian), but basically it's quite simple. We now have support for data transport over both TCP and UDP, and configuration of Legacy IP and split-include routing. There's a little more work to be done on the remainder of the configuration, and so far I haven't been able to test IPv6. We also lack support for compression (which is LZO ? there's an LGPL-compatible decompressor in libavutil, but no compressor that I'm aware of. But I think it's OK just to send uncompressed for now, as long as we can decompress what the server sends us). There are some details I haven't yet implemented ? including reconnecting the TCP socket if it gets disconnected, and logging off cleanly to clear the session cookie. And keepalive on the UDP transport. But those will come relatively soon. The main area that needs work is authentication. While Cisco uses a fairly simple XML schema for its authentication forms, with Juniper you are expected to use a fully-functional web browser. We have HTML forms which require JavaScript and Java (for the 'Host Checker') and all kind of other horridness. Server admins can basically screw with the HTML authentication setup as much as they like, even putting additional new forms in the sequence which we don't recognise at all. So far, OpenConnect only has basic support for interpreting the most simple of these forms. If you are only asked for a username and password, you're probably fine. If you have to run the Host Checker Java tool, it can just about manage to cope with that too with an appropriate --csd-wrapper. For now, the more compatible option is Russ Dill's juniper-vpn.py from https://github.com/russdill/juniper-vpn-py which will perform the authentication slightly more capably and then just invoke 'openconnect -C' to make the connection. We'll work on getting the functionality of that script into OpenConnect natively. There are still things that even Russ's script still can't handle, and you might even need to run in a web browser with something like the Live HTTP Headers plugin, and steal the DSID cookie that gets assigned when you authenticate successfully. Then invoke OpenConnect with that, for example: openconnect -v -v $SERVER -C "DSID=xxx" -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150126/a93c39d2/attachment.bin>
