Pulse Connect Secure

Support for Pulse Connect Secure was added to OpenConnect in June 2019, for the 8.04 release. In most cases it supersedes the older Juniper Network Connect support. It is a much saner protocol.

Pulse mode is requested by adding --protocol=pulse to the command line:

  openconnect --protocol=pulse vpn.example.com

The TCP transport for Pulse Connect Secure works over IF-T/TLS, first using EAP (and EAP-TTLS if certificates are being used) for authentication and then passing traffic over IF-T messages over the same transport. Just as with the older Juniper protocol, the UDP transport is ESP.

Authentication

The authentication cookies are compatible with the Juniper mode, which means that external tools like juniper-vpn-py should be usable with OpenConnect in Pulse mode too.

Host Checker

Support for Host Checker, also known as TNCC, has not yet been investigated and implemented for Pulse mode. The Juniper support may suffice for some users.

Connectivity

Once authentication is complete, the VPN connection can be established. Both Legacy IP and IPv6 should be working, although test reports from someone with an IPv6-capable server would be greatly appreciated as the freely available demo Virtual Appliance does not support IPv6.