/
juniper.xml
107 lines (88 loc) · 4.75 KB
/
juniper.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<PAGE>
<INCLUDE file="inc/header.tmpl" />
<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
<VAR match="VAR_SEL_JUNIPER" replace="selected" />
<PARSE file="menu1.xml" />
<PARSE file="menu2-protocols.xml" />
<INCLUDE file="inc/content.tmpl" />
<h1>Juniper SSL VPN / Pulse Connect Secure</h1>
<p>Support for Juniper's Network Connect protocol was added to
OpenConnect in early 2015, for the 7.05 release. It is still
experimental, and is quite likely to be deprecated in favour of the newer
<a href="http://www.juniper.net/techpubs/en_US/junos-pulse4.0/topics/reference/a-c-c-nc-comparing.html">Junos
Pulse</a> protocol.</p>
<p>For the time being, Juniper mode is requested by adding <tt>--juniper</tt>
to the command line:
<pre>
openconnect --juniper vpn.example.com
</pre></p>
<p>Network Connect works very similarly to
<a href="anyconnect.html">AnyConnect</a> — initial authentication is made
over HTTP, resulting in an HTTP cookie which is used to make the actual
VPN connection. That connection is also made over HTTP, and the IP address
and routing information are provided by the VPN server. The client then
attempts to bring up a UDP transport, which in the case of Juniper is
<a href="https://tools.ietf.org/html/rfc3948">ESP</a>.</p>
<h2>Authentication</h2>
<p>The authentication stage with Juniper is what is expected to cause
most problems. Unlike AnyConnect which has a relatively simple XML
schema for interacting with the user, the Juniper VPN expects a full
web browser environment and uses HTML forms with JavaScript and even
full-blown Java support.</p>
<p>The common case is relatively simple, and OpenConnect supports the
common forms defined by the Juniper-provided templates. However,
administrators have the facility to put arbitrary HTML pages into the
login sequence and full compatibility may require <em>actually</em>
using a web browser to log in — ironically, since much of the reason
users have been asking for OpenConnect to support Juniper is because
they didn't <em>want</em> to have to use a web browser.</p>
<p>For NetworkManager we may end up putting a full HTML renderer into
the GUI authentication dialog, while the command line client continues
to parse the common login forms and make a best attempt at handling
anything non-standard.</p>
<h3>External authentication</h3>
<p>There are a number of perl and python scripts which handle authentication
to Juniper servers to bypass the web browser. One such script has been
ported to invoke OpenConnect instead of Juniper's own <tt>ncsvc</tt>
client and can be found
<a href="https://github.com/russdill/juniper-vpn-py">here</a>.</p>
<p>Any of these scripts which authenticate and obtain a <tt>DSID</tt>
cookie representing a VPN session can be used with OpenConnect. Just
pass the cookie to OpenConnect with its <tt>-C</tt> option, for example:
<pre>
openconnect --juniper -C "DSID=foobar12345" vpn.example.com
</pre>
</p>
<h3>Host Checker (tncc.jar)</h3>
<p>Many sites require a Java applet to run certain tests as a precondition
of authentication. This works by sending a <tt>DSPREAUTH</tt> cookie
to the client which is attempting to authenticate, and the Java code
in <tt>tncc.jar</tt> then runs and communicates with the server, handing
back a new value for the <tt>DSPREAUTH</tt> cookie to be used when
autnentication continues.</p>
<p>OpenConnect supports this with a little assistance. There is a python
script <tt>tncc-wrapper.py</tt> in the git repository which can be used
along with the <tt>tncc-preload.so</tt> from
<a href="https://github.com/russdill/ncsvc-socks-wrapper">this repository</a>.
It may also be necessary to pass a Mozilla-compatible user agent string:
<pre>
./openconnect --juniper --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=./tncc-wrapper.py vpn.example.com
</pre>
</p>
<h2>Connectivity</h2>
<p>Once authentication is complete, the VPN connection can be
established. At the time of writing much of the configuration for Legacy
IP addressing and routes is understood and implemented. IPv6 is not
yet implemented, and test reports from someone with an IPv6-capable server
would be greatly appreciated.</p>
<p>The data transport is functional both over the HTTPS session and also
over ESP. Servers with compression enabled should also be supported, as
LZO <em>decompression</em> is working and although we lack compression
support it appears acceptable to simply send packets uncompressed.</p>
<p>At the time of writing, keepalive for the ESP connection has been
implemented and extremely lightly tested, while it isn't yet known if
the VPN supports keepalive on the HTTPS connection. Reconnection of both
the HTTPS and ESP links is implemented. The current implementation is
basically usable and is definitely ready for some more widespread testing.</p>
<INCLUDE file="inc/footer.tmpl" />
</PAGE>