Introduction¶
OpenConnect is a SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN.It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure.Palo Altos Global Protect will also be supported in future and of course the own OpenConnect Server.
OpenConnect SSL VPN software was created to allow remote users and employees to securely connect to a Cisco, Juniper or Palo Alto SSL VPN gateway running in an enterprise environment from Linux systems. OpenConnect is a command-line client for Cisco’s AnyConnect SSL VPN, that can be used as an alternative to Cisco AnyConnect client. The following guide to install and setup OpenConnect in Mac is.
Step 1 - Installation¶
Go to System ‣ Firmware ‣ Plugins and search for os-openconnect.Install the plugin as usual, refresh and page and the you’ll find the client viaVPN ‣ OpenConnect.
Step 2 - Setup¶
The setup of the client is very simple. Just tick Enable and fill out VPN Server,Username and Password. Be sure that the FQDN matches the name in the certificateor you will receive an error. Also wildcard certificates can produce errors.
Once enabled, a new interface will be available for specifying firewall rules;Firewall ‣ Rules ‣ OpenConnect will appear.
Step 3 - Troubleshoot problems¶
To troubleshoot connection problems it’s best to login via CLI and start OpenConnect manually:
# /usr/local/etc/rc.d/opnsense-openconnect start
Openconnect Ssl Vpn Download
Look out for errors like
Totrustthisserverinfuture,perhapsaddthistoyourcommandline:--servercertsha256:9f97a3395d18093a14f0d8e768dabee231af34d9ba35432dfe838d58dd633333
Now the field Certificate Hash comes into play, so please insert the string above withoutthe hash size and set this one in field Certificate Hash Type.
Support for Juniper's Network Connect protocol was added toOpenConnect in early 2015, for the 7.05 release. It is stillexperimental, and is quite likely to be deprecated in favour of the newerJunosPulse protocol.
Juniper mode is requested by adding --protocol=ncto the command line:
Network Connect works very similarly toAnyConnect — initial authentication is madeover HTTP, resulting in an HTTP cookie which is used to make the actualVPN connection. That connection is also made over HTTP, and the IP addressand routing information are provided by the VPN server. The client thenattempts to bring up a UDP transport, which in the case of Juniper isESP.
Authentication
The authentication stage with Juniper is what is expected to causemost problems. Unlike AnyConnect which has a relatively simple XMLschema for interacting with the user, the Juniper VPN expects a fullweb browser environment and uses HTML forms with JavaScript and evenfull-blown Java support.
The common case is relatively simple, and OpenConnect supports thecommon forms defined by the Juniper-provided templates. However,administrators have the facility to put arbitrary HTML pages into thelogin sequence and full compatibility may require actuallyusing a web browser to log in — ironically, since much of the reasonusers have been asking for OpenConnect to support Juniper is becausethey didn't want to have to use a web browser.
For NetworkManager we may end up putting a full HTML renderer intothe GUI authentication dialog, while the command line client continuesto parse the common login forms and make a best attempt at handlinganything non-standard.
External authentication
There are a number of perl and python scripts which handle authenticationto Juniper servers to bypass the web browser. One such script has beenported to invoke OpenConnect instead of Juniper's own ncsvcclient and can be foundhere.
Any of these scripts which authenticate and obtain a DSIDcookie representing a VPN session can be used with OpenConnect. Justpass the cookie to OpenConnect with its -C option, for example:
Host Checker (tncc.jar)
Many sites require a Java applet to run certain tests as a preconditionof authentication (similar to CSDfor AnyConnect VPNs and HIP for GlobalProtect VPNs).See the Host Checker / TNCC page for how to configure OpenConnectto wrap and run this applet.
Connectivity
Once authentication is complete, the VPN connection can beestablished. At the time of writing much of the configuration for LegacyIP addressing and routes is understood and implemented. IPv6 is notyet implemented, and test reports from someone with an IPv6-capable serverwould be greatly appreciated.
The data transport is functional both over the HTTPS session and alsoover ESP. Servers with compression enabled should also be supported, asLZO decompression is working and although we lack compressionsupport it appears acceptable to simply send packets uncompressed.
Openconnect Gui Vpn Client Download
Sslvpn.boeing
At the time of writing, keepalive for the ESP connection has beenimplemented and extremely lightly tested, while it isn't yet known ifthe VPN supports keepalive on the HTTPS connection. Reconnection of boththe HTTPS and ESP links is implemented. The current implementation isbasically usable and is definitely ready for some more widespread testing.