From ffebb560afe5d66d5827863ebff3f8f3736cf309 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Wed, 1 Aug 2018 18:25:13 -0700 Subject: [PATCH] Fill in a few missing references to GlobalProtect, TNCC, and DTLS support in the docs Also clarifies the command-line options regarding compression Signed-off-by: Daniel Lenski --- main.c | 4 ++-- www/anyconnect.xml | 2 +- www/features.xml | 2 +- www/globalprotect.xml | 6 ++++++ www/index.xml | 9 ++++++--- www/juniper.xml | 8 ++++---- 6 files changed, 20 insertions(+), 11 deletions(-) diff --git a/main.c b/main.c index 1ef54813..379cf5de 100644 --- a/main.c +++ b/main.c @@ -863,8 +863,8 @@ static void usage(void) printf(" -x, --xmlconfig=CONFIG %s\n", _("XML config file")); printf(" -m, --mtu=MTU %s\n", _("Request MTU from server (legacy servers only)")); printf(" --base-mtu=MTU %s\n", _("Indicate path MTU to/from server")); - printf(" -d, --deflate %s\n", _("Enable compression (default)")); - printf(" -D, --no-deflate %s\n", _("Disable compression")); + printf(" -d, --deflate %s\n", _("Enable stateful compression (default is stateless only)")); + printf(" -D, --no-deflate %s\n", _("Disable all compression")); printf(" --force-dpd=INTERVAL %s\n", _("Set minimum Dead Peer Detection interval")); printf(" --pfs %s\n", _("Require perfect forward secrecy")); printf(" --no-dtls %s\n", _("Disable DTLS and ESP")); diff --git a/www/anyconnect.xml b/www/anyconnect.xml index 5ee1ce17..fd7e90ac 100644 --- a/www/anyconnect.xml +++ b/www/anyconnect.xml @@ -59,7 +59,7 @@ The username/password for OpenSSL RT is 'guest/guest'

GnuTLS

-

Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards.

+

Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards (commited in fd5ca1af).

diff --git a/www/features.xml b/www/features.xml index cbe91447..f878e96d 100644 --- a/www/features.xml +++ b/www/features.xml @@ -24,7 +24,7 @@
  • Automatic update of VPN server list / configuration.
  • Roaming support, allowing reconnection when the local IP address changes.
  • Run without root privileges (see here).
    • -
  • Support for "Cisco Secure Desktop" (see here) and "GlobalProtect HIP report" (see here).
    • +
  • Support for "Cisco Secure Desktop" (see here), Juniper TNCC (see here), and "GlobalProtect HIP report" (see here).
  • Graphical connection tools for various environments (see here).
    • diff --git a/www/globalprotect.xml b/www/globalprotect.xml index 655db9a2..a9de423a 100644 --- a/www/globalprotect.xml +++ b/www/globalprotect.xml @@ -16,6 +16,12 @@ href="https://tools.ietf.org/html/rfc3948">ESP, with routing and configuration information distributed in XML format.

    +

    GlobalProtect mode is requested by adding --protocol=gp +to the command line: +

    +  openconnect --protocol=gp vpn.example.com
+

    +

    Authentication

    To authenticate, you connect to the secure web server (POST diff --git a/www/index.xml b/www/index.xml index 28d0b95a..ec2147e9 100644 --- a/www/index.xml +++ b/www/index.xml @@ -9,15 +9,18 @@

    OpenConnect

    -

    OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure.

    +

    OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. +It has since been ported to support the Juniper SSL VPN (which is now known as Pulse Connect Secure), +and to the Palo Alto Networks GlobalProtect SSL VPN.

    OpenConnect is released under the GNU Lesser Public License, version 2.1.

    Like vpnc, OpenConnect is not officially supported by, or associated in any way -with, Cisco Systems, Juniper Networks or Pulse Secure. It just happens to interoperate with their equipment. +with, Cisco Systems, Juniper Networks, Pulse Secure, or Palo Alto Networks. +It just happens to interoperate with their equipment.

    -

    Development of OpenConnect was started after a trial of the Cisco +

    Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies:

    • Inability to use SSL certificates from a TPM or diff --git a/www/juniper.xml b/www/juniper.xml index d4f3fbfe..82f31061 100644 --- a/www/juniper.xml +++ b/www/juniper.xml @@ -16,10 +16,10 @@ experimental, and is quite likely to be deprecated in favour of the newer Junos Pulse protocol.

      -

      For the time being, Juniper mode is requested by adding --juniper +

      Juniper mode is requested by adding --protocol=nc to the command line: 

      -  openconnect --juniper vpn.example.com
+  openconnect --protocol=nc vpn.example.com

      Network Connect works very similarly to @@ -65,7 +65,7 @@ pass the cookie to OpenConnect with its -C option, for example:

      -

      Host Checker (tncc.jar)

      +

      Host Checker (tncc.jar)

      Many sites require a Java applet to run certain tests as a precondition of authentication. This works by sending a DSPREAUTH cookie @@ -80,7 +80,7 @@ along with the tncc-preload.so from this repository. It may also be necessary to pass a Mozilla-compatible user agent string: 

      -  ./openconnect --juniper --useragent  'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=./tncc-wrapper.py vpn.example.com
+  ./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=./tncc-wrapper.py vpn.example.com