F5 SSL VPN

Experimental support for F5 SSL VPN was added to OpenConnect in March 2021. It is also known as BIG-IP in some documentation. It is a PPP-based protocol using the native PPP support which was merged into the 9.00 release.

F5 mode is requested by adding --protocol=f5 to the command line:

  openconnect --protocol=f5 big-ip.example.com

Since TCP over TCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS, and will only fall over to the PPP-over-TLS tunnel if that fails, or if disabled via the --no-dtls argument.

Quirks and Issues

Currently, OpenConnect only supports basic username/password authentication for F5, along with an optional TLS client certificate and the "domain" dropdown used by some F5 VPNs. The domain form field can be automatically populated with the --authgroup command-line option. If you have access to an F5 VPN which uses other types of authentication (e.g. RSA or OATH tokens), please send information to the mailing list so that we add support to OpenConnect.

Connectivity over DTLS is supported, but currently limited to DTLSv1.0 because experiments show that BIG-IP server v15 cannot negotiate correctly down to DTLSv1.0 when a newer version of DTLS is attempted.