Netgate Store

Author Topic: Feature Request - Open Connect Server  (Read 1915 times)

0 Members and 1 Guest are viewing this topic.

Offline KranZ

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Feature Request - Open Connect Server
« on: March 21, 2016, 01:13:42 pm »
I've got an instance of OCSERV up and running on my pfSense box so I know it works.  I'd like to request that Open Connect be integrated as a package in pfSense.

For those who don't know what Open Connect is, it's the OSS version of Cisco's AnyConnect SSL VPN and is compatible with the AnyConnect client.  Integrating this into pfSense would make moving off of Cisco ASA firewalls (or other Cisco SSL VPN gateways) that much easier.

Offline fizadmin

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #1 on: April 17, 2016, 04:40:32 pm »
I'd like to second this, for the same reasons.

Also, the Cisco SPA525G2 IP phones have integrated support for AnyConnect client, so having OpenConnect in a pfSense gateway would make providing off-site remote IP phone access (using these models) so much easier.

There's a ton of good reasons to provide a package for OpenConnect Server.


Offline ilvipero

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #2 on: May 29, 2016, 11:42:55 am »
I would also like to request this. I just posted in another similar thread: https://forum.pfsense.org/index.php?topic=110379.0

Offline eugen.t

  • Newbie
  • *
  • Posts: 3
  • Karma: +1/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #3 on: January 21, 2017, 03:35:45 am »
Hi

Kranz, could you please provide a write up how you managed to install and configure ocserv as I would like to install it on my pfsense fw.

Thanks

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16028
  • Karma: +1530/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #4 on: January 21, 2017, 06:44:48 am »
^ pretty sure you could just install the package ;)

http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/ocserv-0.11.6.txz

And then RTFM on how to configure it hehehehe

As to Kranz he is a 1 post wonder that hasn't been here since June - I don't think he is coming back ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline bbassotti

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +7/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #5 on: April 17, 2017, 12:01:34 am »
I've got an instance of OCSERV up and running on my pfSense box so I know it works.  I'd like to request that Open Connect be integrated as a package in pfSense.

For those who don't know what Open Connect is, it's the OSS version of Cisco's AnyConnect SSL VPN and is compatible with the AnyConnect client.  Integrating this into pfSense would make moving off of Cisco ASA firewalls (or other Cisco SSL VPN gateways) that much easier.

+1

Offline djzort

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +2/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #6 on: July 28, 2017, 12:18:39 am »
This would be good to have. "AnyConnect compatible server, replace that ugly green cisco box" would be a nice tagline

Offline valnar

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #7 on: September 16, 2017, 12:03:19 pm »
+1.  Having an AnyConnect client compatible 'server' running on pfSense would be wonderful, even if its not official.

Offline emfabox

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #8 on: February 05, 2018, 08:38:41 am »
Tried the same ocserv is up and running but how you got the Firewall Rules working ???

ocserv makes a tunX device for each connection ...

thx

Offline metastable

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #9 on: February 05, 2018, 02:19:58 pm »
+1 to this. ocserv would be a huge value proposition.

Offline valnar

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #10 on: February 05, 2018, 04:08:44 pm »
Unless there is fear of litigation from Cisco, I would think this would be a high priority for the devs to make it a package.  Being able to use AnyConnect is probably one of the main reasons people would migrate to pfSense from ASA's, or at least one of them.

Offline emfabox

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Feature Request - Open Connect Server
« Reply #11 on: February 06, 2018, 02:48:02 am »
Think this would be great because there is no need to use the orig. Cisco Client on Windows and Linux either

http://www.infradead.org/openconnect/

I allready build the latest packages and got it up and running but all inside traffice on the tun interfaces got blocked - the tick provided for the openconnet client does only work as long the client connection stays as newbie in BSD I am struggling with the pf firewall rules - read someting about anchor rules but ... I really have no glue at all ... :-[

Ocserv's main features are security through privilege separation and sandboxing, accounting, and resilience due to a combined use of TCP and UDP. Authentication occurs in an isolated security module process, and each user is assigned an unprivileged worker process, and a networking (tun) device. That not only eases the control of the resources of each user or group of users, but also prevents data leak (e.g., heartbleed-style attacks), and privilege escalation due to any bug on the VPN handling (worker) process. A management interface allows for viewing and querying logged-in users.

openwrt does the trick below - so I like to know how it could work with pfctl  and multiple tun devices?


https://github.com/openwrt/packages/tree/master/net/ocserv


#######################################

----/etc/config/network------------------------------------------
config interface 'vpn'
        option proto 'none'
        option ifname 'vpns+'
-----------------------------------------------------------------

----/etc/config/firewall-----------------------------------------
config zone
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option name 'vpn'
        option device 'vpns+'
        option network 'vpn'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '443'
        option name 'vpn'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '443'
        option name 'vpn'
-----------------------------------------------------------------

thank you
« Last Edit: February 06, 2018, 02:51:16 am by emfabox »