Cisco AnyConnect (server) support?

einervonvielen

As Cisco´s AnyConnect client is very popular, I suggest to add support for it

There´s "OpenConnect VPN Server". According to the homepage: "It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol."

• http://www.infradead.org/ocserv/

jimp

The fine print of the Cisco VPN client license states that it's a violation of the license to use them with anything other than Cisco devices.

So while you might be able to get away with installing that server and using it personally or for your company, including support for that as a feature in a distribution like pfSense may not go over so well legally.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc51

Q. Can I use AnyConnect to make VPN connections with non-Cisco VPN head-ends?

A. No, AnyConnect's VPN services may only be used with appropriately licensed Cisco equipment. Use of AnyConnect with non-Cisco VPN equipment is strictly prohibited by our license agreement.

ilvipero

Hello, I would like to add a few words on this discussion. I have been helping the openconnect project with some documentation and testing, so I am available to help with further clarifications if needed.

OpenConnect server does not breach any Cisco license, it can be installed with no such problem. Actually, it is now also available in many distributions, via repos: fedora, ubuntu, debian, etc.
OpenConnect client is available for most operative systems, such as Windows, Linux, Mac, Android. Using OpenConnect server without AnyConnect client is therefore possible.

I would love to see OpenConnect in PFsense. A few reasons why:

• no need to distribute profiles to clients (IPSEC client, OpenVPN client).

• multiple profiles can be selected when connecting to same gateway IP/Hostname. Each "profile" can assign different rules to clients (Full Tunnel, Split Tunnel, etc.) No need to create multiple server instances for different rule set, like in OpenVPN.

• compatible with many authentication methods: certificates, pam, internal users (users configured in openconnect server), radius, kerberos, dual factor authentication.

• can be used to establish site-to-site connections between firewalls.

• great support of proxy-arp, this can be used to avoid tap devices and still be seen as part of the "remote LAN subnet".

• can limit client bandwidth.

• Intrusion prevention included with multiple configuration options.

Harvy66

Would it actually be able to be part of PFSense' base install since it's GPL? If it stays an optional post-install package, would it be safe from GPL and the AnyVPN client license?

djzort

If it was an optional package add-on, the GPL license doesnt taint the base at all.

+1 to this.

This guy brought it in via freebsd packages https://blog.dhampir.no/content/pfsense-as-a-cisco-anyconnect-vpn-client-using-openconnect