From 836991890bbdaf7ee4d6567312a814f396fc9881 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 8 Apr 2021 14:35:08 -0700 Subject: [PATCH] Expand F5 and Fortinet documentation Explain currently-supported authentication modes, and request feedback on additional modes. Explain Fortinet's misfeature/design flaw, which prevents it from automatically reconnecting after a dropped or roamed connection, without a new authentication. Request feedback if anyone has acceess to a Fortinet VPN that *doesn't* have this flaw. Signed-off-by: Daniel Lenski --- www/f5.xml | 20 +++++++++++++++++--- www/fortinet.xml | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/www/f5.xml b/www/f5.xml index ea2830b6..58db24f5 100644 --- a/www/f5.xml +++ b/www/f5.xml @@ -5,14 +5,16 @@ - +

F5 SSL VPN

Experimental support for F5 SSL -VPN was added to OpenConnect in March 2021. It is a PPP-based +VPN was added to OpenConnect in March 2021. It is also known as BIG-IP in +some documentation. It is a +PPP-based protocol using the native PPP support which was merged into the 9.00 release.

@@ -22,8 +24,20 @@ to the command line: openconnect --protocol=f5 big-ip.example.com

+

Quirks and Issues

+ +

Currently, OpenConnect only supports basic username/password +authentication for F5, along with an optional TLS client certificate +and the "domain" dropdown used by some F5 VPNs. The domain form field +can be automatically populated with the --authgroup command-line option. +If you have access to an F5 VPN which uses other types of authentication (e.g. +RSA or OATH tokens), please send information to the mailing +list so that we add support to OpenConnect.

+

OpenConnect does not yet support the UDP transport for F5, and -will use PPP over TCP for connectivity.

+will use PPP over TCP for connectivity, +which is suboptimal +for performance.

diff --git a/www/fortinet.xml b/www/fortinet.xml index e484bb97..bf751fb2 100644 --- a/www/fortinet.xml +++ b/www/fortinet.xml @@ -5,14 +5,16 @@ - +

Fortinet SSL VPN

Experimental support for Fortinet SSL -VPN was added to OpenConnect in March 2021. It is a PPP-based +VPN was added to OpenConnect in March 2021. It is also known as FortiGate +in some documentation. It is a +PPP-based protocol using the native PPP support which was merged into the 9.00 release.

@@ -22,8 +24,33 @@ to the command line: openconnect --protocol=fortinet fortigate.example.com

+

Quirks and Issues

+ +

In terms of authentication for Fortinet VPNs, OpenConnect currently supports +basic username/password, optional TLS client certificate, and optional multifactor +authentication token entry via the "tokeninfo" challenge/response mechanism (which +appears to be the most common mechanism by which Fortinet VPNs support multifactor +authentication). If you have access to a Fortinet VPN which uses other types of +authentication, please send information to the mailing +list so that we add support to OpenConnect.

+ +

The Fortinet protocol appears not to allow its +post-authentication cookie (as output by --authenticate) to +be used to reestablish a dropped connection. This means that if the +client loses its connection to the gateway (for example, due to a +network outage, or after roaming to a different physical adapter) a +new authentication will always be required. This is a substantial +design flaw which is not present in any of the other protocols +supported by OpenConnect; if you have access to a Fortinet VPN which +can automatically reconnect after a dropped connection, +please send information to the mailing list +so we can understand it better, and whether we can support this feature +on other Fortinet VPNs.

+

OpenConnect does not yet support the UDP transport for Fortinet, and -will use PPP over TCP for connectivity.

+will use PPP over TCP for connectivity, +which is suboptimal +for performance.

-- 2.50.1