Pulse Connect Secure

Support for Pulse Connect Secure was added to OpenConnect in June 2019, for the 8.04 release. In most cases it supersedes the older Juniper Network Connect support. It is a much saner protocol.

Pulse mode is requested by adding --protocol=pulse to the command line:

  openconnect --protocol=pulse vpn.example.com

The TCP transport for Pulse Connect Secure works over IF-T/TLS, first using EAP (and EAP-TTLS if certificates are being used) for authentication and then passing traffic over IF-T messages over the same transport. Just as with the older Juniper protocol, the UDP transport is ESP.


The authentication cookies are compatible with the Juniper mode, which means that external tools like juniper-vpn-py should be usable with OpenConnect in Pulse mode too.

Host Checker

Support for Host Checker, also known as TNCC, has not yet been investigated and implemented for Pulse mode. The Juniper support may suffice for some users.


Once authentication is complete, the VPN connection can be established. Both Legacy IP and IPv6 should be working. However, some Pulse VPNs will not provide full IPv6 connectivity unless a recent version of the official Pulse client for Windows is spoofed (see comment on GitLab issue #254. For example:

  ./openconnect --protocol=pulse --useragent "Pulse-Secure/" --os=win