On Tue, Mar 24, 2020 at 4:40 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > On Tue, Mar 24, 2020 at 4:59 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > > > On Mon, 2020-03-23 at 18:02 -0700, Daniel Lenski wrote: > > > One approach is to try to put together an anonymized document that > > > describes the protocol abstractly, like I did here for GlobalProtect > > > as I was studying it: > > > https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md > > > > > > The good news is that a lot of the information needed to add support > > > for Cisco IPSEC is probably right there in the headers of the CSTP > > > connection request/response which we already understand very well. Try > > > connect to your server with `openconnect --dump -vvvv`, and start > > > looking for HTTP headers that mention IPSEC or ESP. > > > > > > It's all plain text at that point, so it should be quite > > > straightforward to identify and obfuscate anything that may be > > > sensitive (e.g. username, password, cookies, secret values). > > > > Isn't this the IKE-based one that is partly supported by vpnc > > Your guess is as good as mine. ¯\_(ツ)_/¯ > > I have… > a) Actually used old Cisco VPNs that use IKEv1 for auth and > configuration and ESP for data transport (with vpnc) > b) Actually used Cisco VPNs that use HTTPS for auth and DTLS and/or > HTTPS for data transport (with OpenConnect) > c) Heard half-whispered legends alleging the existence of Cisco VPNs > that use HTTPS for auth and ESP for data transport > d) Probably not heard of all of them despite the fact that I spent a > substantial fraction of my time figuring out how to connect to various > VPNs from 2016-2019. > > I guess we're going to find out if this is an (a) or a (c) or a (d). > > This page* (https://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html#client) > says “The AnyConnect client supports SSL and DTLS. It does not support > IPsec at this time.” > > Dan > > * Though that page is also dated 2014, and its references to Windows > Vista suggest it's older than that. It also makes some > less-than-confidence-inspiring statements such as, “The languages > supported on the Cisco VPN Client GUI versions later than 4.0 are > Canadian, French, and Japanese.” > Using AnyConnect with IPSec has been a thing for a few years. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html I have to add that I have never used, or attempted to use, IPSec with AnyConnect. Cheers Arne _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
