2018-07-16 21:09:53 UTC
- Like many orgs, my employer had a sudden and dramatic increase in the number of people working remotely as a result of the Covid-19 pandemic. This exceeded the capacity of our Cisco Anyconnect headends in a few places, and procuring larger hardware in many locations proved difficult as supply chains apparently unravelled.
- Systemctl enable ocserv systemctl start ocserv. Client Configuration. For clients, you have 2x options. You have the official Cisco AnyConnect client which can be a royal pain but has a nice GUI and a mobile app. Or the openconnect client which is made by the same people as ocserv.
Ocserv auth hacking. GitHub Gist: instantly share code, notes, and snippets.
Ocserv Client
Hi,
Is there a way to have the latest Cisco AnyConnect 4.6 clients use
ocserv with a stronger DTLS cipher than the default RSA_AES_128_SHA1?
When the same version of AnyConnect connects to an ASA the DTLS cipher
shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box should
also support. I have tried playing around with the
cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers config
options, but understand some of those are mutually exclusive.
I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect
clients with ocserv which works fine, but would like to support the
'best DTLS possible' (or at least match the ASA cipher) for a few
cases where TCP file transfer throughput through AnyConnect is
important (seeing about 3x throughput via DTLS).
`occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103:
TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM)
DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)
Thanks in advance!
Is there a way to have the latest Cisco AnyConnect 4.6 clients use
ocserv with a stronger DTLS cipher than the default RSA_AES_128_SHA1?
When the same version of AnyConnect connects to an ASA the DTLS cipher
shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box should
also support. I have tried playing around with the
cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers config
options, but understand some of those are mutually exclusive.
I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect
clients with ocserv which works fine, but would like to support the
'best DTLS possible' (or at least match the ASA cipher) for a few
cases where TCP file transfer throughput through AnyConnect is
important (seeing about 3x throughput via DTLS).
`occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103:
TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM)
DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)
Thanks in advance!