How the VPN works
The VPN is extremely simple, based almost entirely on the standard HTTPS and DTLS protocols. You connect to the secure web server, authenticate using certificates and/or arbitrary web forms, and you are rewarded with a standard HTTP cookie.
You then use this cookie in an HTTP CONNECT request, and can then pass traffic over that connection. IP addresses and routing information are passed back and forth in the headers of that CONNECT request.
Since TCP over TCP is very suboptimal, the VPN also attempts to use UDP datagrams, and will only actually pass traffic over the HTTPS connection if that fails. The UDP connectivity is done using Datagram TLS, which is supported by OpenSSL.
Note: DTLS is optional and not required for basic connectivity, as explained above.
Unfortunately, Cisco used an old version of OpenSSL for their server, which predates the official RFC and has a few differences in the implementation of DTLS.
Compatibility support for their "speshul" version of the protocol is in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
NOTE: OpenSSL 1.0.0k, 1.0.1d and 1.0.1e have introduced bugs which break this compatibility. See the thread on the mailing list, which has patches for each.
If you are using an older version of OpenSSL which predates the compatibility, you will need to apply this patch from OpenSSL CVS:
- http://cvs.openssl.org/chngview?cn=17500 (OpenSSL RT#1703)
- http://cvs.openssl.org/chngview?cn=17505 (OpenSSL RT#1752)
Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards.