Re: SonicWall SMA support in openconnect?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 19, 2019 at 2:21 PM Nikos Mavrogiannopoulos
<n.mavrogiannopoulos@xxxxxxxxx> wrote:
> On April 18, 2019 3:27:53 PM UTC, Daniel Lenski <dlenski@xxxxxxxxx> wrote:
> >
> >3. OpenConnect currently supports the three most widely-deployed SSL
> >VPNs in the USA (AnyConnect, Juniper, and GlobalProtect, in that
> >order) based on my attempts to survey a bunch of S&P 500 companies and
> >university websites using what-vpn
> >(https://github.com/dlenski/what-vpn). Microsoft SSTP and Barracuda
> >appear to be the next most common. I wasn't able to find enough
> >examples of SonicWall VPNs to add a reliable "sniffer" for them, but I
> >suspect it's a fairly niche/rare VPN.
>
> These are quite intersting figures even if crude. Does this search cover openvpn or ipsec use?
>

It's TLS only, including OpenVPN over TLS, but definitely not IPSEC.
(Adding sniffing methods for non-TLS-based VPNs is on my TODO list,
although ike-scan already does that pretty well:
https://github.com/dlenski/what-vpn#todo)

Basically, I took a bunch of likely VPN servers for big companies
({ssl-vpn,vpn,sslvpn}.bigcorp.com) and for US universities
({ssl-vpn,vpn,sslvpn}.university.edu) and ran what-vpn on all of 'em.
Here's a lightly cleaned-up summary of the results:

       1  Check Point
       1  Citrix (manually inspected, don't know how to reliably autodetect)
       1  OpenVPN
       5  Dell or SonicWall (manually inspected, don't know how to
reliably autodetect)
       7  Fortinet
       7  Barracuda
       8  F5 (manually inspected, don't know how to reliably autodetect)
      14  SSTP
*     53  PAN GlobalProtect (portal and/or gateway)
*     72  Juniper Network Connect
*    243  Cisco AnyConnect (including 1 ocserv)
   ~4000  DNS error, TLS error, timeouts, some page that's not a VPN
front-end, etc.

Assuming these results to be roughly representative of deployment of
"SSL VPNs" in general, it seems that OpenConnect already supports >80%
of SSL VPN servers. I would guess that the total number of IPSEC-based
VPNs is /at least as large/ as the total number of SSL VPNs.

- Microsoft SSTP is a nigh-obsolete monstrosity in which PPP is
glommed onto a TLS v1.0 transport, and it is actually pretty
well-supported via Linux kernel ppp with sstp-client
(http://sstp-client.sourceforge.net/).
- AFAICT, CheckPoint is really "all IPSEC", with a very thin TLS
compatibility veneer
(https://gitlab.com/openconnect/openconnect/issues/13#note_128429733)
- OpenVPN obviously has good open-source clients, even though I prefer
the hackability and configurability of OpenConnect.

If OpenConnect's goal is to allow connecting to nearly all the
commercial SSL VPNs using a user-space open-source front end, then F5,
Barracuda, Fortinet, and Dell+SonicWall are the obvious next protocols
to target. I'm not 100% sure that all of these actually provide
generic end-to-end IP connectivity… anything that doesn't probably
should be excluded.

Dan

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux