Re: Does openconnect support IPSec with EAP-MSCHAPv2 authentication?

[Daniel Lenski]

On Tue, Mar 24, 2020 at 4:59 AM David Woodhouse  wrote:
>
> On Mon, 2020-03-23 at 18:02 -0700, Daniel Lenski wrote:
> > One approach is to try to put together an anonymized document that
> > describes the protocol abstractly, like I did here for GlobalProtect
> > as I was studying it:
> > https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md
> >
> > The good news is that a lot of the information needed to add support
> > for Cisco IPSEC is probably right there in the headers of the CSTP
> > connection request/response which we already understand very well. Try
> > connect to your server with `openconnect --dump -`, and start
> > looking for HTTP headers that mention IPSEC or ESP.
> >
> > It's all plain text at that point, so it should be quite
> > straightforward to identify and obfuscate anything that may be
> > sensitive (e.g. username, password, cookies, secret values).
>
> Isn't this the IKE-based one that is partly supported by vpnc

Your guess is as good as mine. ¯\_(ツ)_/¯

I have…
a) Actually used old Cisco VPNs that use IKEv1 for auth and
configuration and ESP for data transport (with vpnc)
b) Actually used Cisco VPNs that use HTTPS for auth and DTLS and/or
HTTPS for data transport (with OpenConnect)
c) Heard half-whispered legends alleging the existence of Cisco VPNs
that use HTTPS for auth and ESP for data transport
d) Probably not heard of all of them despite the fact that I spent a
substantial fraction of my time figuring out how to connect to various
VPNs from 2016-2019.

I guess we're going to find out if this is an (a) or a (c) or a (d).

This page* 
(https://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html#client)
says “The AnyConnect client supports SSL and DTLS. It does not support
IPsec at this time.”

Dan

* Though that page is also dated 2014, and its references to Windows
Vista suggest it's older than that. It also makes some
less-than-confidence-inspiring statements such as, “The languages
supported on the Cisco VPN Client GUI versions later than 4.0 are
Canadian, French, and Japanese.”

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Does openconnect support IPSec with EAP-MSCHAPv2 authentication?

[David Woodhouse]

On Mon, 2020-03-23 at 18:02 -0700, Daniel Lenski wrote:
> On Mon, Mar 23, 2020 at 4:43 PM dan.m...@gmail.com  wrote:
> > 
> > As much as I would like the share the capture, I'm not really sure I
> > have the liberty of sharing it? As there could be private information
> > contained within it. I know that makes this more difficult for me.

It should be easy enough to edit out usernames and passwords. Any
session key that is obtained through authorisation is going to be tied
to the life of that session so won't be useful any more.

Send it to Daniel and me in private if you prefer.

> One approach is to try to put together an anonymized document that
> describes the protocol abstractly, like I did here for GlobalProtect
> as I was studying it:
> https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md
> 
> The good news is that a lot of the information needed to add support
> for Cisco IPSEC is probably right there in the headers of the CSTP
> connection request/response which we already understand very well. Try
> connect to your server with `openconnect --dump -`, and start
> looking for HTTP headers that mention IPSEC or ESP.
>
> It's all plain text at that point, so it should be quite
> straightforward to identify and obfuscate anything that may be
> sensitive (e.g. username, password, cookies, secret values).

Isn't this the IKE-based one that is partly supported by vpnc?


smime.p7s
Description: S/MIME cryptographic signature
___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel