Website updates

Admit to Juniper support, a few other updates.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

www/Makefile.am

@@ -6,9 +6,10 @@ CONV 	= "$(srcdir)/html.py"
 FTR_PAGES = csd.html charset.html token.html pkcs11.html features.html gui.html nonroot.html
 START_PAGES = building.html connecting.html manual.html vpnc-script.html 
 INDEX_PAGES = changelog.html download.html index.html packages.html platforms.html
-TOPLEVEL_PAGES = contribute.html mail.html technical.html
+PROTO_PAGES = anyconnect.html juniper.html
+TOPLEVEL_PAGES = contribute.html mail.html
 
-ALL_PAGES = $(FTR_PAGES) $(START_PAGES) $(INDEX_PAGES) $(TOPLEVEL_PAGES)
+ALL_PAGES = $(FTR_PAGES) $(START_PAGES) $(INDEX_PAGES) $(TOPLEVEL_PAGES) $(PROTO_PAGES)
 
 html_DATA = $(ALL_PAGES)
 
@@ -21,6 +22,7 @@ clean-local:
 $(ALL_PAGES): menu1.xml $(srcdir)/inc/*.tmpl
 $(FTR_PAGES): menu2-features.xml
 $(START_PAGES): menu2-started.xml
+$(PROTO_PAGES): menu2-protocols.xml
 $(MAIN_PAGES): menu2.xml
 
 manual.html: openconnect.8.inc

www/technical.xml → www/anyconnect.xml

@@ -1,11 +1,15 @@
 <PAGE>
 	<INCLUDE file="inc/header.tmpl" />
 
-	<VAR match="VAR_SEL_TECHNICAL" replace="selected" />
+	<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
+	<VAR match="VAR_SEL_ANYCONNECT" replace="selected" />
 	<PARSE file="menu1.xml" />
+	<PARSE file="menu2-protocols.xml" />
 
 	<INCLUDE file="inc/content.tmpl" />
 
+<h1>Cisco AnyConnect</h1>
+
 <h2>How the VPN works</h2>
 
 <p>The VPN is extremely simple, based almost entirely on the standard

www/contribute.xml

@@ -15,9 +15,11 @@
 languages other than English. All contributions will be gratefully
 received.</p>
 
-<p>Translations for OpenConnect can be entered through <a
-href="https://www.transifex.net/projects/p/openconnect/">Transifex</a>
-or by editing one of the language files in the <tt><a
+<p>Translations for OpenConnect are maintained in the GNOME
+<a href="https://l10n.gnome.org/module/network-manager-openconnect/">network-manager-openconnect module</a>. Translations can be contributed by joining
+the GNOME team as described on their
+<a href="https://wiki.gnome.org/TranslationProject">TranslationProject</a>
+wiki page, or simply by editing one of the language files in the <tt><a
 href="http://git.infradead.org/users/dwmw2/openconnect.git/tree/HEAD:/po">po/</a></tt>
 directory and sending the resulting patch (or file) to the <a
 href="mail.html">mailing list</a>.</p>
@@ -34,7 +36,6 @@ Other items on the TODO list include:
 
 <ul>
   <li>Better support for running or emulating the '<a href="csd.html">Cisco Secure Desktop</a>' trojan.</li>
-  <li>GUI and NSI installer for Windows.</li>
   <li>GUI for OS X, perhaps based on <a href="http://code.google.com/p/tunnelblick/">Tunnelblick</a>.</li>
 </ul>
 

www/features.xml

@@ -19,7 +19,7 @@
   <li>Authentication using OATH TOTP or HOTP software tokens.</li>
   <li>Authentication using Yubikey OATH tokens <i>(when built with libpcsclite)</i></li>
   <li><i>UserGroup</i> support for selecting between multiple configurations on a single VPN server.</li>
-  <li>Data transport over TCP <i>(HTTPS)</i> or UDP <i>(DTLS)</i>.</li>
+  <li>Data transport over TCP <i>(HTTPS)</i> or UDP <i>(DTLS or ESP)</i>.</li>
   <li>Keepalive and Dead Peer Detection on both HTTPS and DTLS.</li>
   <li>Automatic update of VPN server list / configuration.</li>
   <li>Roaming support, allowing reconnection when the local IP address changes.</li>

www/index.xml

@@ -9,16 +9,15 @@
 	<INCLUDE file="inc/content.tmpl" />
 
 <h1>OpenConnect</h1>
-<p>OpenConnect is a client for Cisco's <a href="http://www.cisco.com/en/US/netsol/ns1049/index.html">AnyConnect SSL VPN</a>, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.</p>
+<p>OpenConnect is an SSL VPN client initially created to support Cisco's <a href="http://www.cisco.com/go/asm">AnyConnect SSL VPN</a>. It has since been ported to support the Juniper SSL VPN which is now known as <a href="https://www.pulsesecure.net/products/connect-secure/">Pulse Connect Secure</a>.</p>
 
 <p>OpenConnect is released under the GNU Lesser Public License, version 2.1.</p>
 
 <p>Like <a href="http://www.unix-ag.uni-kl.de/~massar/vpnc/">vpnc</a>,
 OpenConnect is not officially supported by, or associated in any way
-with, Cisco Systems. It just happens to interoperate with their
-equipment.
+with, Cisco Systems, Juniper Networks or Pulse Secure. It just happens to interoperate with their equipment.
 </p>
-<p>Development of OpenConnect was started after a trial of their "official"
+<p>Development of OpenConnect was started after a trial of the Cisco 
 client under Linux found it to have many deficiencies:</p>
 <ul>
   <li>Inability to use SSL certificates from a <a href="http://en.wikipedia.org/wiki/Trusted_Platform_Module">TPM</a> or

www/juniper.xml

@@ -0,0 +1,85 @@
+<PAGE>
+	<INCLUDE file="inc/header.tmpl" />
+
+	<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
+	<VAR match="VAR_SEL_JUNIPER" replace="selected" />
+	<PARSE file="menu1.xml" />
+	<PARSE file="menu2-protocols.xml" />
+
+	<INCLUDE file="inc/content.tmpl" />
+
+<h1>Juniper SSL VPN / Pulse Connect Secure</h1>
+
+<p>Support for Juniper was added to OpenConnect in January of 2015,
+after the v7.04 release. It is still being tested. For the time being,
+Juniper mode is requested by adding <tt>--juniper</tt> to the command
+line:
+<pre>
+  openconnect --juniper vpn.example.com
+</pre></p>
+
+<p>The Juniper VPN works very similarly to
+<a href="anyconnect.html">AnyConnect</a> — initial authentication is made
+over HTTP, resulting in an HTTP cookie which is used to make the actual
+VPN connection. That connection is also made over HTTP, and the IP address
+and routing information are provided by the VPN server. The client then
+attempts to bring up a UDP transport, which in the case of Juniper is
+<a href="https://tools.ietf.org/html/rfc3948">ESP</a>.</p>
+
+<h2>Authentication</h2>
+
+<p>The authentication stage with Juniper is what is expected to cause
+most problems. Unlike AnyConnect which has a relatively simple XML
+schema for interacting with the user, the Juniper VPN expects a full
+web browser environment and uses HTML forms with JavaScript and even
+full-blown Java support.</p>
+
+<p>The common case is relatively simple, and OpenConnect supports the
+common forms defined by the Juniper-provided templates. However,
+administrators have the facility to put arbitrary HTML pages into the
+login sequence and full compatibility may require <em>actually</em>
+using a web browser to log in — ironically, since much of the reason
+users have been asking for OpenConnect to support Juniper is because
+they didn't <em>want</em> to have to use a web browser.</p>
+<p>For NetworkManager we may end up putting a full HTML renderer into
+the GUI authentication dialog, while the command line client continues
+to parse the common login forms and make a best attempt at handling
+anything non-standard.</p>
+
+<h3>External authentication</h3>
+<p>There are a number of perl and python scripts which handle authentication
+to Juniper servers to bypass the web browser. One such script has been
+ported to invoke OpenConnect instead of Juniper's own <tt>ncsvc</tt>
+client and can be found
+<a href="https://github.com/russdill/juniper-vpn-py">here</a>.</p>
+
+<p>Any of these scripts which authenticate and obtain a <tt>DSID</tt>
+cookie representing a VPN session can be used with OpenConnect. Just
+pass the cookie to OpenConnect with its <tt>-C</tt> option, for example:
+<pre>
+  openconnect --juniper -C "DSID=foobar12345" vpn.example.com
+</pre>
+</p>
+
+<h2>Connectivity</h2>
+
+<p>Once authentication is complete, the VPN connection can be
+established. At the time of writing much of the configuration for Legacy
+IP addressing and routes is understood and implemented. IPv6 is not
+yet implemented, and test reports from someone with an IPv6-capable server
+would be greatly appreciated.</p>
+
+<p>The data transport is functional both over the HTTPS session and also
+over ESP. Servers with compression enabled should also be supported, as
+LZO <em>decompression</em> is working and although we lack compression
+support it appears acceptable to simply send packets uncompressed.</p>
+
+<p>At the time of writing, some features such as automatic
+reconnection of the TCP connection, and keepalive of the UDP session
+(and thus fallback to using TCP) are not fully implemented. These will be
+added shortly, as they are required to have a fully production-quality
+client. However, the current implementation is basically usable and is
+definitely ready for some more widespread testing.</p>
+
+	<INCLUDE file="inc/footer.tmpl" />
+</PAGE>

www/menu1.xml

@@ -5,7 +5,7 @@
 	<MENU topic="Getting Started" link="building.html" mode="VAR_SEL_STARTED" />
 	<MENU topic="Mailing List / Help" link="mail.html" mode="VAR_SEL_MAIL" />
 	<MENU topic="Contribute" link="contribute.html" mode="VAR_SEL_CONTRIBUTE" />
-	<MENU topic="Technical stuff" link="technical.html" mode="VAR_SEL_TECHNICAL" />
+	<MENU topic="Protocols" link="anyconnect.html" mode="VAR_SEL_PROTOCOLS" />
 	<MENU topic="VPN Server" link="http://www.infradead.org/ocserv/" mode="VAR_SEL_SERVER" />
 	<MENU topic="OpenConnect VPN client" link="" mode="text" />
 	<ENDMENU />

www/menu2-protocols.xml

@@ -0,0 +1,6 @@
+<PAGE>
+	<STARTMENU level="2"/>
+        <MENU topic="AnyConnect" link="anyconnect.html" mode="VAR_SEL_ANYCONNECT" />
+        <MENU topic="Juniper" link="juniper.html" mode="VAR_SEL_JUNIPER" />
+	<ENDMENU />
+</PAGE>