How the VPN works
Cisco Anyconnect Download
The program openconnect connects to Cisco 'AnyConnect' VPN servers, which use standard TLS and DTLS protocols for data transport. The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow - by using a certificate, or password or SecurID, etc.
I currently have and use the official Cisco AnyConnect Client. When I connect to it all it asks me for is my username and password. When I try to connect to the same server using the package from network-manager-openconnect-gnome it looks like this. Why are there so many options (Certificate, proxy etc.)? OpenConnect SSL VPN software was created to allow remote users and employees to securely connect to a Cisco, Juniper or Palo Alto SSL VPN gateway running in an enterprise environment from Linux systems. OpenConnect OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. And the Palo Alto Networks GlobalProtect SSL VPN. An openconnect VPN server (ocserv), which implements an improved version of the Cisco AnyConnect protocol. Install the networkmanager-openconnect package and then create a new vpn profile via Network Manager - openconnect works well with a Cisco ASA (AnyConnect)!
The VPN is extremely simple, based almost entirely on the standardHTTPS and DTLSprotocols. You connect to the secure web server, authenticate usingcertificates and/or arbitrary web forms, and you are rewarded with astandard HTTP cookie named webvpn.
Some Cisco servers require you to execute a 'Cisco Secure Desktop'trojan binary (intended for security scanning of the client system)before authentication can complete; see the CSDpage for information on how to comply with this requirement, orspoof it, with OpenConnect. Ps4 remote play streaming quality.
After authentication, you use the webvpn cookiein an HTTP CONNECT request, and canthen pass traffic over that connection. IP addresses and routinginformation are passed back and forth in the headers of thatCONNECT request.
Since TCPover TCP is very suboptimal, the VPN also attempts to use UDPdatagrams, and will only actually pass traffic over the HTTPSconnection if that fails. The UDP connectivity is done using DatagramTLS, which is supported by OpenSSL.
DTLS compatibility
Note: DTLS is optional and not required for basic connectivity, as explained above.
Unfortunately, Cisco used an old version of OpenSSL for their server,which predates the official RFC and has a few differences in theimplementation of DTLS.
OpenSSL
Compatibility support for their 'speshul' version of the protocol isin the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
NOTE: OpenSSL 1.0.0k, 1.0.1d and 1.0.1e have introduced bugs whichbreak this compatibility. See the thread on the mailing list, which has patches for each.
If you are using an older version of OpenSSL which predates thecompatibility, you will need to apply this patch from OpenSSL CVS:
- http://cvs.openssl.org/chngview?cn=18037 (OpenSSL RT#1751)
- http://cvs.openssl.org/chngview?cn=17500 (OpenSSL RT#1703)
- http://cvs.openssl.org/chngview?cn=17505 (OpenSSL RT#1752)
GnuTLS
Openconnect Vs Cisco Anyconnect
Shiptag. Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards (commited in fd5ca1af).