[vpnc-devel] Cisco AnyConnect over SSL / DTLS

David Woodhouse dwmw2 at infradead.org
Mon Sep 22 23:34:25 CEST 2008 

On Mon, 2008-09-22 at 20:57 +0100, A. Dreyer (VPNC mailing list) wrote:
> David Woodhouse wrote:
> > On Mon, 2008-09-15 at 18:02 -0700, David Woodhouse wrote:
> >> Is anyone else interested in helping to make this work? In particular,
> >> anyone with a little more clue about DTLS and/or OpenSSL?
> > 
> > I'll take that as a 'no' :)
> 
> I am not sure if this is the right forum as SSL-VPNs and IPsec VPNs have
> not much in common and vpnc (only) tries to be a (Cisco) IPsec compliant
> client.

Yes, you're probably right -- although from the users' point of view,
they just look for 'Cisco compatible'. So maybe there is some benefit in
combining them.

Vpnc could also potentially benefit from being hooked up to lwip+socks
so that it isn't limited to 'real' routing and needing root privileges.

Integration would also mean that we only need one implementation of
stuff like distribution-compatible networking scripts, NetworkManager
plugins, etc. 

I'm happy enough going my own way with it though -- at least for now.

> >> Does it make sense to try to merge any of this with vpnc, or should it
> >> be a completely separate client? It doesn't seem to actually share
> >> much.
> > 
> > I've gone for a separate client, which I've made available at 
> > http://git.infradead.org/users/dwmw2/anyconnect.git
> 
> I don't have access to the right Cisco gear but would definitely like to
> try some compatibility testing against other vendors SSL-VPN software
> (if it is semi-working...).

It's working now, at least over the TCP connection (with the obvious
caveats of TCP-over-TCP). I implemented compression support last night,
and fixed a bunch of compatibility issues.

There are still some rough edges -- it currently just opens the tuntap
device and _tells_ you the IP addresses to use, rather than setting it
up for you. I haven't bothered fixing that yet because I don't run it as
root anyway -- and I don't _want_ it stealing my default route either. I
actually plan to do the lwip+socks thing quite soon, and then just use
it like that instead of with a tun device.

It also doesn't do the initial authentication to obtain the http cookie
it needs -- there's a 'curl.c' file which does that against our Cisco
server (using a certificate), and gets you the cookie which you pass to
the real VPN program on its command line. That needs some more thought
-- I don't like using cURL because I'm going to need to be able to use
the TPM at some point in the very near future. But I think it probably
_does_ want to be done in a separate process, like in a NetworkManager
plugin perhaps.

I have yet to attempt the DTLS part. It _looks_ fairly obvious, but
they're using a pre-RFC version of DTLS and their own bastardised
version of OpenSSL which looks like 0.9.8f but isn't. I can't get their
client working with my own builds of the OpenSSL library (which have
lots of extra debugging), but I'm hoping that's just ABI issues and
it'll "just work" when I hook it up in my own client. We'll see...

> Do you have a mailing list for developers or an announce list?

Not yet, although it's simple enough for me to create one. I was trying
to avoid having to create a whole new package and the rest of the stuff
that goes along with it.

-- 
dwmw2

More information about the vpnc-devel mailing list