OpenConnect is an SSL-based VPN client which is inter-operable with the commercial products Cisco AnyConnect, Juniper Pulse Connect Secure, and Palo Alto Networks GlobalProtect.GlobalProtect mode is new in OpenConnect 8.0 and is not yet fully integrated into OpenWrt.A companion VPN server ocserv which implements the AnyConnect protocol is also available for OpenWrt.
Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. OpenConnect SSL VPN software was created to allow remote users and employees to securely connect to a Cisco, Juniper or Palo Alto SSL VPN gateway running in an enterprise environment from Linux systems.
OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse. OpenConnect is an SSL -based VPN client which is inter-operable with the commercial products Cisco AnyConnect, Juniper Pulse Connect Secure, and Palo Alto Networks GlobalProtect. GlobalProtect mode is new in OpenConnect 8.0 and is not yet fully integrated into OpenWrt.
User guide
Ssl Vpn Client
Additional Services
VPN (aka Virtual Private Network)
OpenConnect
Support for Juniper's Network Connect protocol was added toOpenConnect in early 2015, for the 7.05 release. It is stillexperimental, and is quite likely to be deprecated in favour of the newerJunosPulse protocol.
Juniper mode is requested by adding --protocol=ncto the command line:
Network Connect works very similarly toAnyConnect — initial authentication is madeover HTTP, resulting in an HTTP cookie which is used to make the actualVPN connection. That connection is also made over HTTP, and the IP addressand routing information are provided by the VPN server. The client thenattempts to bring up a UDP transport, which in the case of Juniper isESP.
Authentication
Openconnect Ssl Vpn Server
The authentication stage with Juniper is what is expected to causemost problems. Unlike AnyConnect which has a relatively simple XMLschema for interacting with the user, the Juniper VPN expects a fullweb browser environment and uses HTML forms with JavaScript and evenfull-blown Java support.
The common case is relatively simple, and OpenConnect supports thecommon forms defined by the Juniper-provided templates. However,administrators have the facility to put arbitrary HTML pages into thelogin sequence and full compatibility may require actuallyusing a web browser to log in — ironically, since much of the reasonusers have been asking for OpenConnect to support Juniper is becausethey didn't want to have to use a web browser.
For NetworkManager we may end up putting a full HTML renderer intothe GUI authentication dialog, while the command line client continuesto parse the common login forms and make a best attempt at handlinganything non-standard.
External authentication
There are a number of perl and python scripts which handle authenticationto Juniper servers to bypass the web browser. One such script has beenported to invoke OpenConnect instead of Juniper's own ncsvcclient and can be foundhere.
Any of these scripts which authenticate and obtain a DSIDcookie representing a VPN session can be used with OpenConnect. Justpass the cookie to OpenConnect with its -C option, for example:
Open Ssl Vpn
Host Checker (tncc.jar)
Many sites require a Java applet to run certain tests as a preconditionof authentication (similar to CSDfor AnyConnect VPNs and HIP for GlobalProtect VPNs).See the Host Checker / TNCC page for how to configure OpenConnectto wrap and run this applet.
Openconnect Ssl Vpn Client
Connectivity
Once authentication is complete, the VPN connection can beestablished. At the time of writing much of the configuration for LegacyIP addressing and routes is understood and implemented. IPv6 is notyet implemented, and test reports from someone with an IPv6-capable serverwould be greatly appreciated.
Openconnect Vpn Gui
The data transport is functional both over the HTTPS session and alsoover ESP. Servers with compression enabled should also be supported, asLZO decompression is working and although we lack compressionsupport it appears acceptable to simply send packets uncompressed.
Openconnect Vpn Client Windows
At the time of writing, keepalive for the ESP connection has beenimplemented and extremely lightly tested, while it isn't yet known ifthe VPN supports keepalive on the HTTPS connection. Reconnection of boththe HTTPS and ESP links is implemented. The current implementation isbasically usable and is definitely ready for some more widespread testing.