Signed-off-by: Daniel Lenski <dlenski at gmail.com> --- openconnect.8.in | 48 ++++++++++++++++++++++++++++-------------------- www/globalprotect.xml | 2 +- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/openconnect.8.in b/openconnect.8.in index 5e1b933..9f46b30 100644 --- a/openconnect.8.in +++ b/openconnect.8.in @@ -1,6 +1,6 @@ .TH OPENCONNECT 8 .SH NAME -openconnect \- Connect to Cisco AnyConnect VPN +openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others .SH SYNOPSIS .SY openconnect .OP \-\-config configfile @@ -72,23 +72,32 @@ openconnect \- Connect to Cisco AnyConnect VPN .SH DESCRIPTION The program .B openconnect -connects to Cisco "AnyConnect" VPN servers, which use standard TLS -and DTLS protocols for data transport. +connects to VPN servers which use standard TLS/SSL, DTLS, and ESP +protocols for data transport. + +It was originally written to support Cisco "AnyConnect" VPN servers, +and has since been extended with experimental support for Juniper +Network Connect and Junos Pulse VPN servers +.RB ( \-\-protocol=nc ) +and PAN GlobalProtect VPN servers +.RB ( \-\-protocol=gp ). The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow \- by using a certificate, or password or SecurID, etc. Having authenticated, the -user is rewarded with an HTTP cookie which can be used to make the +user is rewarded with an authentication cookie which can be used to make the real VPN connection. -The second phase uses that cookie in an HTTPS -.I CONNECT -request, and data packets can be passed over the resulting -connection. In auxiliary headers exchanged with the -.I CONNECT -request, a Session\-ID and Master Secret for a DTLS connection are also -exchanged, which allows data transport over UDP to occur. - +The second phase uses that cookie to connect to a tunnel via HTTPS, +and data packets can be passed over the resulting connection. When +possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while +Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel +may be disabled with +.BR \-\-no\-dtls , +but is preferred when correctly supported by the server and network +for performance reasons. (TCP performs poorly and unreliably over +TCP-based tunnels; see +.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .) .SH OPTIONS .TP @@ -147,11 +156,10 @@ Disable all compression. Set compression mode, where .I MODE is one of -.I "stateless" -, -.I "none" -, or -.I "all". +.IR "stateless" , +.IR "none" , +or +.IR "all" . By default, only stateless compression algorithms which do not maintain state from one packet to the next (and which can be used on UDP transports) are @@ -159,7 +167,7 @@ enabled. By setting the mode to .I "all" stateful algorithms (currently only zlib deflate) can be enabled. Or all compression can be disabled by setting the mode to -.I "none". +.IR "none" . .TP .B \-\-force\-dpd=INTERVAL Use @@ -250,7 +258,7 @@ Passphrase for certificate file is automatically generated from the .I fsid of the file system on which it is stored. The .I fsid -is obtained from the +is obtained from the .BR statvfs (2) or .BR statfs (2) @@ -374,7 +382,7 @@ setting. .TP .B \-\-no\-dtls -Disable DTLS +Disable DTLS and ESP .TP .B \-\-no\-http\-keepalive Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget diff --git a/www/globalprotect.xml b/www/globalprotect.xml index 6de116e..ee45819 100644 --- a/www/globalprotect.xml +++ b/www/globalprotect.xml @@ -38,7 +38,7 @@ tunnel configuration information (<tt>POST /ssl-vpn/getconfig.esp</tt>).</p> </ol> <p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP over -TCP is very suboptimal</a>, OpenConnect tries to always use ESP-over-ESP, +TCP is very suboptimal</a>, OpenConnect tries to always use ESP-over-UDP, and will only fall over to the HTTPS tunnel if that fails, or if disabled via the <tt>--no-dtls</tt> argument.</p> -- 2.7.4