On Tue, Mar 24, 2020 at 4:59 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > On Mon, 2020-03-23 at 18:02 -0700, Daniel Lenski wrote: > > One approach is to try to put together an anonymized document that > > describes the protocol abstractly, like I did here for GlobalProtect > > as I was studying it: > > https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md > > > > The good news is that a lot of the information needed to add support > > for Cisco IPSEC is probably right there in the headers of the CSTP > > connection request/response which we already understand very well. Try > > connect to your server with `openconnect --dump -vvvv`, and start > > looking for HTTP headers that mention IPSEC or ESP. > > > > It's all plain text at that point, so it should be quite > > straightforward to identify and obfuscate anything that may be > > sensitive (e.g. username, password, cookies, secret values). > > Isn't this the IKE-based one that is partly supported by vpnc Your guess is as good as mine. ¯\_(ツ)_/¯ I have… a) Actually used old Cisco VPNs that use IKEv1 for auth and configuration and ESP for data transport (with vpnc) b) Actually used Cisco VPNs that use HTTPS for auth and DTLS and/or HTTPS for data transport (with OpenConnect) c) Heard half-whispered legends alleging the existence of Cisco VPNs that use HTTPS for auth and ESP for data transport d) Probably not heard of all of them despite the fact that I spent a substantial fraction of my time figuring out how to connect to various VPNs from 2016-2019. I guess we're going to find out if this is an (a) or a (c) or a (d). This page* (https://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html#client) says “The AnyConnect client supports SSL and DTLS. It does not support IPsec at this time.” Dan * Though that page is also dated 2014, and its references to Windows Vista suggest it's older than that. It also makes some less-than-confidence-inspiring statements such as, “The languages supported on the Cisco VPN Client GUI versions later than 4.0 are Canadian, French, and Japanese.” _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
