Почетна Преглед Помоћ
Пријавите се
vimacs
/
openconnect
Прати 1
Волим 0
Креирај огранак 0
Датотеке Дискусије 0 Захтеви за спајање 0 Вики
Дрво: 2448e70def
Гране Ознаке
openconnect
/
www
/
juniper.xml

juniper.xml 4.2 KB
Историја Датотека

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. <PAGE>
    2. 

  2. 	<INCLUDE file="inc/header.tmpl" />
    3. 

  3. 

  4. 	<VAR match="VAR_SEL_PROTOCOLS" replace="selected" />
    5. 

  5. 	<VAR match="VAR_SEL_JUNIPER" replace="selected" />
    6. 

  6. 	<PARSE file="menu1.xml" />
    7. 

  7. 	<PARSE file="menu2-protocols.xml" />
    8. 

  8. 

  9. 	<INCLUDE file="inc/content.tmpl" />
    10. 

  10. 

  11. <h1>Juniper SSL VPN / Pulse Connect Secure</h1>
    12. 

  12. 

  13. <p>Support for Juniper's Network Connect protocol was added to
    14. 

  14. OpenConnect in early 2015, for the 7.05 release. It is still
    15. 

  15. experimental, and is quite likely to be deprecated in favour of the newer
    16. 

  16. <a href="http://www.juniper.net/techpubs/en_US/junos-pulse4.0/topics/reference/a-c-c-nc-comparing.html">Junos
    17. 

  17. Pulse</a> protocol.</p>
    18. 

  18. 

  19. <p>Juniper mode is requested by adding <tt>--protocol=nc</tt>
    20. 

  20. to the command line:
    21. 

  21. <pre>
    22. 

  22.   openconnect --protocol=nc vpn.example.com
    23. 

  23. </pre></p>
    24. 

  24. 

  25. <p>Network Connect works very similarly to
    26. 

  26. <a href="anyconnect.html">AnyConnect</a> — initial authentication is made
    27. 

  27. over HTTP, resulting in an HTTP cookie which is used to make the actual
    28. 

  28. VPN connection. That connection is also made over HTTP, and the IP address
    29. 

  29. and routing information are provided by the VPN server. The client then
    30. 

  30. attempts to bring up a UDP transport, which in the case of Juniper is
    31. 

  31. <a href="https://tools.ietf.org/html/rfc3948">ESP</a>.</p>
    32. 

  32. 

  33. <h2>Authentication</h2>
    34. 

  34. 

  35. <p>The authentication stage with Juniper is what is expected to cause
    36. 

  36. most problems. Unlike AnyConnect which has a relatively simple XML
    37. 

  37. schema for interacting with the user, the Juniper VPN expects a full
    38. 

  38. web browser environment and uses HTML forms with JavaScript and even
    39. 

  39. full-blown Java support.</p>
    40. 

  40. 

  41. <p>The common case is relatively simple, and OpenConnect supports the
    42. 

  42. common forms defined by the Juniper-provided templates. However,
    43. 

  43. administrators have the facility to put arbitrary HTML pages into the
    44. 

  44. login sequence and full compatibility may require <em>actually</em>
    45. 

  45. using a web browser to log in — ironically, since much of the reason
    46. 

  46. users have been asking for OpenConnect to support Juniper is because
    47. 

  47. they didn't <em>want</em> to have to use a web browser.</p>
    48. 

  48. <p>For NetworkManager we may end up putting a full HTML renderer into
    49. 

  49. the GUI authentication dialog, while the command line client continues
    50. 

  50. to parse the common login forms and make a best attempt at handling
    51. 

  51. anything non-standard.</p>
    52. 

  52. 

  53. <h3>External authentication</h3>
    54. 

  54. <p>There are a number of perl and python scripts which handle authentication
    55. 

  55. to Juniper servers to bypass the web browser. One such script has been
    56. 

  56. ported to invoke OpenConnect instead of Juniper's own <tt>ncsvc</tt>
    57. 

  57. client and can be found
    58. 

  58. <a href="https://github.com/russdill/juniper-vpn-py">here</a>.</p>
    59. 

  59. 

  60. <p>Any of these scripts which authenticate and obtain a <tt>DSID</tt>
    61. 

  61. cookie representing a VPN session can be used with OpenConnect. Just
    62. 

  62. pass the cookie to OpenConnect with its <tt>-C</tt> option, for example:
    63. 

  63. <pre>
    64. 

  64.   openconnect --juniper -C "DSID=foobar12345" vpn.example.com
    65. 

  65. </pre>
    66. 

  66. </p>
    67. 

  67. 

  68. <h3>Host Checker (tncc.jar)</h3>
    69. 

  69. 

  70. <p>Many sites require a Java applet to run certain tests as a precondition
    71. 

  71. of authentication (similar to <a href="csd.html">CSD</a>
    72. 

  72. for AnyConnect VPNs and <a href="hip.html">HIP</a> for GlobalProtect VPNs).
    73. 

  73. See the <a href="tncc.html">Host Checker / TNCC page</a> for how to configure OpenConnect
    74. 

  74. to wrap and run this applet.
    75. 

  75. </p>
    76. 

  76. 

  77. <h2>Connectivity</h2>
    78. 

  78. 

  79. <p>Once authentication is complete, the VPN connection can be
    80. 

  80. established. At the time of writing much of the configuration for Legacy
    81. 

  81. IP addressing and routes is understood and implemented. IPv6 is not
    82. 

  82. yet implemented, and test reports from someone with an IPv6-capable server
    83. 

  83. would be greatly appreciated.</p>
    84. 

  84. 

  85. <p>The data transport is functional both over the HTTPS session and also
    86. 

  86. over ESP. Servers with compression enabled should also be supported, as
    87. 

  87. LZO <em>decompression</em> is working and although we lack compression
    88. 

  88. support it appears acceptable to simply send packets uncompressed.</p>
    89. 

  89. 

  90. <p>At the time of writing, keepalive for the ESP connection has been
    91. 

  91. implemented and extremely lightly tested, while it isn't yet known if
    92. 

  92. the VPN supports keepalive on the HTTPS connection. Reconnection of both
    93. 

  93. the HTTPS and ESP links is implemented. The current implementation is
    94. 

  94. basically usable and is definitely ready for some more widespread testing.</p>
    95. 

  95. 

  96. 	<INCLUDE file="inc/footer.tmpl" />
    97. 

  97. </PAGE>
    98. 

  98.