commit cb81ac7d069e080d57df40433544bb7308073496
Author: Nikos Mavrogiannopoulos <nmav(a)redhat.com>
Date: Mon Jun 16 15:52:46 2014 +0200
VPN: Added OpenConnect section.
Signed-off-by: Eric H Christensen <sparks(a)redhat.com>
en-US/VPN.xml | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/en-US/VPN.xml b/en-US/VPN.xml
index f4a2242..a74c96d 100644
--- a/en-US/VPN.xml
+++ b/en-US/VPN.xml
@@ -985,6 +985,92 @@ include
"/etc/racoon/<replaceable>X.X.X.X</replaceable>.conf"</screen>
</section>
</section>
+
+ <section
id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect">
+ <title>OpenConnect</title>
+ <para>
+ &PRODUCT; supports <abbrev>OpenConnect</abbrev> for connecting remote
hosts and networks to each other using an SSL/TLS-based secure tunnel on a common carrier
network such as the Internet. The protocol is compatible with the CISCO AnyConnect and can
be used to connect to CISCO gateways in addition to OpenConnect servers. OpenConnect
utilizes two channels, a TCP channel under TLS, and a UDP channel under DTLS to establish
the tunnel. The UDP channel takes precedence when can be reliably established, and the TCP
channel is used as backup.
+ </para>
+ <para>
+ <abbrev>OpenConnect</abbrev> can be deployed to connect a host to a
network, or a network to network. The mode is determined by the server which provides the
appropriate configuration (e.g., routes) to the client.
+ </para>
+
+ <section
id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Authentication">
+ <title>Authentication of an <abbrev>OpenConnect</abbrev>
Connection</title>
+ <para>
+ An <abbrev>OpenConnect</abbrev> connection can be established after the
credentials are available to the user. The credentials may be a username-password pair, a
client certificate or both. In all cases, the server's certificate (or its hash) must
be available or known to the user.
+ </para>
+ </section>
+
+ <section
id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Installation">
+ <title>OpenConnect Installation</title>
+ <para>
+ Deploying <abbrev>OpenConnect</abbrev> client side requires that the
<filename>NetworkManager-openconnect</filename>, and
<filename>openconnect</filename> RPM packages be installed. The server side
requires the <filename>ocserv</filename> RPM package. The available
applications are listed below.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>/usr/sbin/openconnect</command> — It is the client
tunnel establishment tool. Refer to the <command>openconnect</command>(8) man
page for more information.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>/usr/sbin/ocserv</command> — it is the openconnect
server application. Refer to the <command>ocserv</command>(8) man page for
more information.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>/etc/ocserv/ocserv.conf</filename> —
<command>ocserv</command>'s daemon configuration file used to configure
various aspects of the connection, including authentication methods and encryption
algorithms used in the connection. Refer to the <filename>ocserv</filename>(8)
man page for a complete listing of available directives.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ To configure an <abbrev>OpenConnect</abbrev> client on &PRODUCT;, you
can use the <application>Network Manager Tool</application>, or manually
execute the <filename>openconnect</filename> application with the appropriate
command line parameters.
+ </para>
+ </section>
+
+ <section
id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Client_Configuration">
+ <title>OpenConnect Client Configuration</title>
+ <para>
+ OpenConnect's default operation connects one desktop or workstation (host) to a
network. The server openconnect connects to provides the routes that are available from
the VPN tunnel.
+ </para>
+ <para>
+ To configure a host-to-host <abbrev>IPsec</abbrev> connection, use the
following steps for each host:
+ </para>
+ <orderedlist continuation="restarts" inheritnum="ignore">
+ <listitem>
+ <para>
+ Select the configuration option on the top right menu and select the
<application>Network</application> settings.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ On the <guilabel>Network</guilabel> tab, click
<guibutton>+</guibutton> to start the new connection configuration wizard.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ On the <guilabel>Add Network Connection</guilabel> dialog, click
<guibutton>VPN</guibutton>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Then select the <guibutton>Cisco AnyConnect Compatible VPN
(openconnect)</guibutton>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Enter the gateway (server address) for the connection, and optionally specify the
server's certificate. If no certificate is specified you'll be prompted to trust
the one that is obtained by the server on the initial connection.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Save and, return the the initial <guilabel>Network</guilabel> tab, and
then click on the newly created VPN connection. You'll be prompted for the username
and password.
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
</section>
Show replies by date