Cisco AnyConnect

How the VPN works

The VPN is extremely simple, based almost entirely on the standard HTTPS and DTLS protocols. You connect to the secure web server, authenticate using certificates and/or arbitrary web forms, and you are rewarded with a standard HTTP cookie named webvpn.

Some Cisco servers require you to execute a 'Cisco Secure Desktop' trojan binary (intended for security scanning of the client system) before authentication can complete; see the CSD page for information on how to comply with this requirement, or spoof it, with OpenConnect.

After authentication, you use the webvpn cookie in an HTTP CONNECT request, and can then pass traffic over that connection. IP addresses and routing information are passed back and forth in the headers of that CONNECT request.

Since TCP over TCP is very suboptimal, the VPN also attempts to use UDP datagrams, and will only actually pass traffic over the HTTPS connection if that fails. The UDP connectivity is done using Datagram TLS, which is supported by OpenSSL.

DTLS compatibility

Note: DTLS is optional and not required for basic connectivity, as explained above.

Unfortunately, Cisco used an old version of OpenSSL for their server, which predates the official RFC and has a few differences in the implementation of DTLS.

OpenSSL

Compatibility support for their "speshul" version of the protocol is in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).

NOTE: OpenSSL 1.0.0k, 1.0.1d and 1.0.1e have introduced bugs which break this compatibility. See the thread on the mailing list, which has patches for each.

If you are using an older version of OpenSSL which predates the compatibility, you will need to apply this patch from OpenSSL CVS:

For versions older than 0.9.8j, some generic DTLS bug fixes are also required: The username/password for OpenSSL RT is 'guest/guest'

GnuTLS

Support for Cisco's version of DTLS was included in GnuTLS from 3.0.21 onwards (committed in fd5ca1af).