Feature Request - Open Connect Server



  • I've got an instance of OCSERV up and running on my pfSense box so I know it works.  I'd like to request that Open Connect be integrated as a package in pfSense.

    For those who don't know what Open Connect is, it's the OSS version of Cisco's AnyConnect SSL VPN and is compatible with the AnyConnect client.  Integrating this into pfSense would make moving off of Cisco ASA firewalls (or other Cisco SSL VPN gateways) that much easier.



  • I'd like to second this, for the same reasons.

    Also, the Cisco SPA525G2 IP phones have integrated support for AnyConnect client, so having OpenConnect in a pfSense gateway would make providing off-site remote IP phone access (using these models) so much easier.

    There's a ton of good reasons to provide a package for OpenConnect Server.



  • I would also like to request this. I just posted in another similar thread: https://forum.pfsense.org/index.php?topic=110379.0



  • Hi

    Kranz, could you please provide a write up how you managed to install and configure ocserv as I would like to install it on my pfsense fw.

    Thanks


  • Rebel Alliance Global Moderator

    ^ pretty sure you could just install the package ;)

    http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/ocserv-0.11.6.txz

    And then RTFM on how to configure it hehehehe

    As to Kranz he is a 1 post wonder that hasn't been here since June - I don't think he is coming back ;)



  • @KranZ:

    I've got an instance of OCSERV up and running on my pfSense box so I know it works.  I'd like to request that Open Connect be integrated as a package in pfSense.

    For those who don't know what Open Connect is, it's the OSS version of Cisco's AnyConnect SSL VPN and is compatible with the AnyConnect client.  Integrating this into pfSense would make moving off of Cisco ASA firewalls (or other Cisco SSL VPN gateways) that much easier.

    +1



  • This would be good to have. "AnyConnect compatible server, replace that ugly green cisco box" would be a nice tagline



  • +1.  Having an AnyConnect client compatible 'server' running on pfSense would be wonderful, even if its not official.



  • Tried the same ocserv is up and running but how you got the Firewall Rules working ???

    ocserv makes a tunX device for each connection …

    thx



  • +1 to this. ocserv would be a huge value proposition.



  • Unless there is fear of litigation from Cisco, I would think this would be a high priority for the devs to make it a package.  Being able to use AnyConnect is probably one of the main reasons people would migrate to pfSense from ASA's, or at least one of them.



  • Think this would be great because there is no need to use the orig. Cisco Client on Windows and Linux either

    http://www.infradead.org/openconnect/

    I allready build the latest packages and got it up and running but all inside traffice on the tun interfaces got blocked - the tick provided for the openconnet client does only work as long the client connection stays as newbie in BSD I am struggling with the pf firewall rules - read someting about anchor rules but … I really have no glue at all ... :-[

    [sup]Ocserv's main features are security through privilege separation and sandboxing, accounting, and resilience due to a combined use of TCP and UDP. Authentication occurs in an isolated security module process, and each user is assigned an unprivileged worker process, and a networking (tun) device. That not only eases the control of the resources of each user or group of users, but also prevents data leak (e.g., heartbleed-style attacks), and privilege escalation due to any bug on the VPN handling (worker) process. A management interface allows for viewing and querying logged-in users.

    openwrt does the trick below - so I like to know how it could work with pfctl  and multiple tun devices?

    https://github.com/openwrt/packages/tree/master/net/ocserv

    #######################################

    –--/etc/config/network------------------------------------------
    config interface 'vpn'
            option proto 'none'
            option ifname 'vpns+'

    ----/etc/config/firewall-----------------------------------------
    config zone
            option input 'ACCEPT'
            option forward 'ACCEPT'
            option output 'ACCEPT'
            option name 'vpn'
            option device 'vpns+'
            option network 'vpn'

    config forwarding
            option dest 'lan'
            option src 'vpn'

    config forwarding
            option dest 'vpn'
            option src 'lan'

    config rule
            option target 'ACCEPT'
            option src 'wan'
            option proto 'tcp'
            option dest_port '443'
            option name 'vpn'

    config rule
            option target 'ACCEPT'
            option src 'wan'
            option proto 'udp'
            option dest_port '443'
            option name 'vpn'

    thank you