[securityguide] VPN: Added OpenConnect section.

Eric Christensen sparks at fedoraproject.org
Mon Jun 16 19:29:27 UTC 2014 

commit cb81ac7d069e080d57df40433544bb7308073496
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date:   Mon Jun 16 15:52:46 2014 +0200

    VPN: Added OpenConnect section.
    
    Signed-off-by: Eric H Christensen <sparks at redhat.com>

 en-US/VPN.xml |   86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/en-US/VPN.xml b/en-US/VPN.xml
index f4a2242..a74c96d 100644
--- a/en-US/VPN.xml
+++ b/en-US/VPN.xml
@@ -985,6 +985,92 @@ include "/etc/racoon/<replaceable>X.X.X.X</replaceable>.conf"</screen>
 	</section>
 	</section>
 
+
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect">
+		<title>OpenConnect</title>
+		<para>
+			&PRODUCT; supports <abbrev>OpenConnect</abbrev> for connecting remote hosts and networks to each other using an SSL/TLS-based secure tunnel on a common carrier network such as the Internet. The protocol is compatible with the CISCO AnyConnect and can be used to connect to CISCO gateways in addition to OpenConnect servers. OpenConnect utilizes two channels, a TCP channel under TLS, and a UDP channel under DTLS to establish the tunnel. The UDP channel takes precedence when can be reliably established, and the TCP channel is used as backup.
+		</para>
+		<para>			
+			<abbrev>OpenConnect</abbrev> can be deployed to connect a host to a network, or  a network to network. The mode is determined by the server which provides the appropriate configuration (e.g., routes) to the client.
+		</para>
+	
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Authentication">
+		<title>Authentication of an <abbrev>OpenConnect</abbrev> Connection</title>
+		<para>
+			An <abbrev>OpenConnect</abbrev> connection can be established after the credentials are available to the user. The credentials may be a username-password pair, a client certificate or both. In all cases, the server's certificate (or its hash) must be available or known to the user.
+		</para>
+	</section>
+	
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Installation">
+		<title>OpenConnect Installation</title>
+		<para>
+			Deploying <abbrev>OpenConnect</abbrev> client side requires that the <filename>NetworkManager-openconnect</filename>, and <filename>openconnect</filename> RPM packages be installed. The server side requires the <filename>ocserv</filename> RPM package. The available applications are listed below.
+		</para>
+		<itemizedlist>
+			<listitem>
+				<para>
+					<command>/usr/sbin/openconnect</command> &mdash; It is the client tunnel establishment tool. Refer to the <command>openconnect</command>(8) man page for more information.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					<command>/usr/sbin/ocserv</command> &mdash; it is the openconnect server application. Refer to the <command>ocserv</command>(8) man page for more information.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					<filename>/etc/ocserv/ocserv.conf</filename> &mdash; <command>ocserv</command>'s daemon configuration file used to configure various aspects of the connection, including authentication methods and encryption algorithms used in the connection. Refer to the <filename>ocserv</filename>(8) man page for a complete listing of available directives.
+				</para>
+			</listitem>
+		</itemizedlist>
+		<para>
+			To configure an <abbrev>OpenConnect</abbrev> client on &PRODUCT;, you can use the <application>Network Manager Tool</application>, or manually execute the <filename>openconnect</filename> application with the appropriate command line parameters.
+		</para>
+	</section>
+	
+	<section id="sect-Security_Guide-Virtual_Private_Networks_VPNs-OpenConnect_Client_Configuration">
+		<title>OpenConnect Client Configuration</title>
+		<para>
+			OpenConnect's default operation connects one desktop or workstation (host) to a network. The server openconnect connects to provides the routes that are available from the VPN tunnel.
+		</para>
+		<para>
+			To configure a host-to-host <abbrev>IPsec</abbrev> connection, use the following steps for each host:
+		</para>
+		<orderedlist continuation="restarts" inheritnum="ignore">
+			<listitem>
+				<para>
+					Select the configuration option on the top right menu and select the <application>Network</application> settings.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					On the <guilabel>Network</guilabel> tab, click <guibutton>+</guibutton> to start the new connection configuration wizard.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					On the <guilabel>Add Network Connection</guilabel> dialog, click <guibutton>VPN</guibutton>.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					Then select the <guibutton>Cisco AnyConnect Compatible VPN (openconnect)</guibutton>.
+					</para>
+			</listitem>
+			<listitem>
+				<para>
+					Enter the gateway (server address) for the connection, and optionally specify the server's certificate. If no certificate is specified you'll be prompted to trust the one that is obtained by the server on the initial connection.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					Save and, return the the initial <guilabel>Network</guilabel> tab, and then click on the newly created VPN connection. You'll be prompted for the username and password.
+				</para>
+			</listitem>
+		</orderedlist>
+	</section>
+	</section>
 </section>

More information about the docs-commits mailing list