/
juniper.xml
105 lines (86 loc) · 4.72 KB
/
juniper.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<PAGE>
<INCLUDE file="inc/header.tmpl" />
<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
<VAR match="VAR_SEL_JUNIPER" replace="selected" />
<PARSE file="menu1.xml" />
<PARSE file="menu2-protocols.xml" />
<INCLUDE file="inc/content.tmpl" />
<h1>Juniper SSL VPN / Pulse Connect Secure</h1>
<p>Support for Juniper's Network Connect protocol was added to
OpenConnect in early 2015, for the 7.05 release. It is an extremely
convoluted and quirky protocol, but OpenConnect's support for it
is believed to be nearly complete. The most glaring problem with
the Pulse protocol is that it does not support IPv6 at all.</p>
<p>Following
<a href="https://www.juniper.net/content/dam/www/assets/solution-briefs/us/en/security/juniper-networks-and-pulse-secure-deliver-unified-secure-network-access.pdf">Juniper's
2015 announcement</a>, the Juniper protocol has been largely
deprecated and replaced with the <a href="pulse.html">Junos/Ivanti
Pulse</a> protocol. However, as of 2023 Junos/Ivanti servers continue
to support the Juniper Network Connect protocol alongside the Pulse
protocol, unless explicitly disabled by administrators.</p>
<p>Juniper mode is requested by adding <tt>--protocol=nc</tt>
to the command line:
<pre>
openconnect --protocol=nc vpn.example.com
</pre></p>
<p>Network Connect works very similarly to
<a href="anyconnect.html">AnyConnect</a> — initial authentication is made
over HTTP, resulting in an HTTP cookie which is used to make the actual
VPN connection. That connection is also made over HTTP, and the IP address
and routing information are provided by the VPN server. The client then
attempts to bring up a UDP transport, which in the case of Juniper is
<a href="https://tools.ietf.org/html/rfc3948">ESP</a>.</p>
<h2>Authentication</h2>
<p>The authentication stage with Juniper is what is expected to cause
most problems. Unlike AnyConnect which has a relatively simple XML
schema for interacting with the user, the Juniper VPN expects a full
web browser environment and uses HTML forms with JavaScript and even
full-blown Java support.</p>
<p>The common case is relatively simple, and OpenConnect supports the
common forms defined by the Juniper-provided templates. However,
administrators have the facility to put arbitrary HTML pages into the
login sequence and full compatibility may require <em>actually</em>
using a web browser to log in — ironically, since much of the reason
users have been asking for OpenConnect to support Juniper is because
they didn't <em>want</em> to have to use a web browser.</p>
<p>For NetworkManager we may end up putting a full HTML renderer into
the GUI authentication dialog, while the command line client continues
to parse the common login forms and make a best attempt at handling
anything non-standard.</p>
<h3>External authentication</h3>
<p>There are a number of perl and python scripts which handle authentication
to Juniper servers to bypass the web browser. One such script has been
ported to invoke OpenConnect instead of Juniper's own <tt>ncsvc</tt>
client and can be found
<a href="https://github.com/russdill/juniper-vpn-py">here</a>.</p>
<p>Any of these scripts which authenticate and obtain a <tt>DSID</tt>
cookie representing a VPN session can be used with OpenConnect. Just
pass the cookie to OpenConnect with its <tt>-C</tt> option, for example:
<pre>
openconnect --protocol=nc -C "DSID=foobar12345" vpn.example.com
</pre>
</p>
<h3>Host Checker (tncc.jar)</h3>
<p>Many sites require a Java applet to run certain tests as a precondition
of authentication (similar to <a href="csd.html">CSD</a>
for AnyConnect VPNs and <a href="hip.html">HIP</a> for GlobalProtect VPNs).
See the <a href="tncc.html">Host Checker / TNCC page</a> for how to configure OpenConnect
to wrap and run this applet.
</p>
<h2>Connectivity</h2>
<p>Once authentication is complete, the VPN connection can be
established. At the time of writing much of the configuration for Legacy
IP addressing and routes is understood and implemented. IPv6 is not
yet implemented, and test reports from someone with an IPv6-capable server
would be greatly appreciated.</p>
<p>The data transport is functional both over the HTTPS session and also
over ESP. Servers with compression enabled should also be supported, as
LZO <em>decompression</em> is working and although we lack compression
support it appears acceptable to simply send packets uncompressed.</p>
<p>At the time of writing, keepalive for the ESP connection has been
implemented and extremely lightly tested, while it isn't yet known if
the VPN supports keepalive on the HTTPS connection. Reconnection of both
the HTTPS and ESP links is implemented. The current implementation is
basically usable and is definitely ready for some more widespread testing.</p>
<INCLUDE file="inc/footer.tmpl" />
</PAGE>