From 836991890bbdaf7ee4d6567312a814f396fc9881 Mon Sep 17 00:00:00 2001
From: Daniel Lenski Experimental support for F5 SSL
-VPN was added to OpenConnect in March 2021. It is a PPP-based
+VPN was added to OpenConnect in March 2021. It is also known as BIG-IP in
+some documentation. It is a
+PPP-based
protocol using the native PPP support which was merged into the 9.00
release.F5 SSL VPN
Currently, OpenConnect only supports basic username/password +authentication for F5, along with an optional TLS client certificate +and the "domain" dropdown used by some F5 VPNs. The domain form field +can be automatically populated with the --authgroup command-line option. +If you have access to an F5 VPN which uses other types of authentication (e.g. +RSA or OATH tokens), please send information to the mailing +list so that we add support to OpenConnect.
+OpenConnect does not yet support the UDP transport for F5, and -will use PPP over TCP for connectivity.
+will use PPP over TCP for connectivity, +which is suboptimal +for performance.Experimental support for Fortinet SSL -VPN was added to OpenConnect in March 2021. It is a PPP-based +VPN was added to OpenConnect in March 2021. It is also known as FortiGate +in some documentation. It is a +PPP-based protocol using the native PPP support which was merged into the 9.00 release.
@@ -22,8 +24,33 @@ to the command line: openconnect --protocol=fortinet fortigate.example.com +In terms of authentication for Fortinet VPNs, OpenConnect currently supports +basic username/password, optional TLS client certificate, and optional multifactor +authentication token entry via the "tokeninfo" challenge/response mechanism (which +appears to be the most common mechanism by which Fortinet VPNs support multifactor +authentication). If you have access to a Fortinet VPN which uses other types of +authentication, please send information to the mailing +list so that we add support to OpenConnect.
+ +The Fortinet protocol appears not to allow its +post-authentication cookie (as output by --authenticate) to +be used to reestablish a dropped connection. This means that if the +client loses its connection to the gateway (for example, due to a +network outage, or after roaming to a different physical adapter) a +new authentication will always be required. This is a substantial +design flaw which is not present in any of the other protocols +supported by OpenConnect; if you have access to a Fortinet VPN which +can automatically reconnect after a dropped connection, +please send information to the mailing list +so we can understand it better, and whether we can support this feature +on other Fortinet VPNs.
+OpenConnect does not yet support the UDP transport for Fortinet, and -will use PPP over TCP for connectivity.
+will use PPP over TCP for connectivity, +which is suboptimal +for performance.