| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 |
- <PAGE>
- <INCLUDE file="inc/header.tmpl" />
- <VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
- <VAR match="VAR_SEL_ANYCONNECT" replace="selected" />
- <PARSE file="menu1.xml" />
- <PARSE file="menu2-protocols.xml" />
- <INCLUDE file="inc/content.tmpl" />
- <h1>Cisco AnyConnect</h1>
- <h2>How the VPN works</h2>
- <p>The VPN is extremely simple, based almost entirely on the standard
- HTTPS and <a href="https://www.rfc-editor.org/rfc/rfc4347.txt">DTLS</a>
- protocols. You connect to the secure web server, authenticate using
- certificates and/or arbitrary web forms, and you are rewarded with a
- standard HTTP cookie named <tt>webvpn</tt>.</p>
- <p>Some Cisco servers require you to execute a 'Cisco Secure Desktop'
- trojan binary (intended for security scanning of the client system)
- before authentication can complete; see <a href="csd.html">the CSD
- page</a> for information on how to comply with this requirement, or
- spoof it, with OpenConnect.</p>
- <p>After authentication, you use the <tt>webvpn</tt> cookie
- in an HTTP <tt>CONNECT</tt> request, and can
- then pass traffic over that connection. IP addresses and routing
- information are passed back and forth in the headers of that
- <tt>CONNECT</tt> request.</p>
- <p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
- over TCP is very suboptimal</a>, the VPN also attempts to use UDP
- datagrams, and will only <em>actually</em> pass traffic over the HTTPS
- connection if that fails. The UDP connectivity is done using Datagram
- TLS, which is supported by OpenSSL.</p>
- <h2>DTLS compatibility</h2>
- <p><i><b>Note: DTLS is optional and not required for basic connectivity, as explained above.</b></i></p>
- <p>Unfortunately, Cisco used an old version of OpenSSL for their server,
- which predates the official RFC and has a few differences in the
- implementation of DTLS.
- </p>
- <h3>OpenSSL</h3>
- <p>Compatibility support for their "speshul" version of the protocol is
- in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
- </p>
- <p><b>NOTE:</b> OpenSSL 1.0.0k, 1.0.1d and 1.0.1e have introduced bugs which
- break this compatibility. See the <a href="https://lists.infradead.org/pipermail/openconnect-devel/2013-February/000827.html">thread</a> on the mailing list, which has patches for each.</p>
- <p>If you are using an older version of OpenSSL which predates the
- compatibility, you will need to apply this patch from OpenSSL CVS:</p>
- <ul>
- <li><a href="http://cvs.openssl.org/chngview?cn=18037">http://cvs.openssl.org/chngview?cn=18037</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1751&amp;user=guest&amp;pass=guest">RT#1751</a>)</li>
- </ul>
- For versions older than 0.9.8j, some generic DTLS bug fixes are also required:
- <ul>
- <li><a href="http://cvs.openssl.org/chngview?cn=17500">http://cvs.openssl.org/chngview?cn=17500</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1703&amp;user=guest&amp;pass=guest">RT#1703</a>)</li>
- <li><a href="http://cvs.openssl.org/chngview?cn=17505">http://cvs.openssl.org/chngview?cn=17505</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1752&amp;user=guest&amp;pass=guest">RT#1752</a>) </li>
- </ul>
- The username/password for OpenSSL RT is 'guest/guest'
- <h3>GnuTLS</h3>
- <p>Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards (<a href="https://gitlab.com/nmav/gnutls/commit/fd5ca1afb7b223f1ce0c5330f2611996491c6aae">committed in <tt>fd5ca1af</tt></a>).</p>
- <INCLUDE file="inc/footer.tmpl" />
- </PAGE>
|
