From 3473bf170615a6aeb8ebc183a601c76378adbb18 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 20 Jan 2014 18:54:01 +0100 Subject: [PATCH] do not duplicate technical info --- README | 41 ++--------------------------------------- 1 file changed, 2 insertions(+), 39 deletions(-) diff --git a/README b/README index 2280a840..41908c86 100644 --- a/README +++ b/README @@ -67,42 +67,5 @@ To run the server on the foreground edit the doc/sample.config and then run: === How the VPN works === -The openconnect VPN server is an Internet-layer VPN server. That is, it provides -the client with an IP address and a list of routes that this IP may access. -Since this is not a Link-layer VPN a separate subnet must be allocated for the -VPN addresses. - -The subnet addresses are specified by the 'ipv4-network' and 'ipv4-netmask' -configuration options (and the corresponding ipv6 options). The routes that -are pushed to the client are specified by the 'route' option. For each client -two IPv4 addresses are assigned, its VPN address and its local image (remember -this is a point-to-point connection). The image isn't known to the client -(the anyconnect protocol doesn't forward it). - -Note that in order to allow high-speed transfers ocserv doesn't do any packet -forwarding or filtering between the networks. It is expected that the server -has any required routes or firewall rules set up. You may conditionally -enable firewall rules, or even enable routing rules through the client -using the 'connect-script' and 'disconnect-script' scripts based on the -user who connected. You can find some examples in the doc/scripts/ directory. - - -=== Authentication === - -Authentication in openconnect VPN server occurs in the initial TLS session. -That is an HTTPS session over which the client is provided with an XML authentication -page. The server is authenticated using its certificate and the client, either by -its certificate, or via username and password pairs, either via PAM or a -custom password file. Various combinations can be used, e.g., certificates -and passwords. Since PAM supports various authentication types, two factor -authentication methods are also supported. After the user is authenticated he -is provided with a cookie that can be used for future connections. The lifetime -of the cookie is configurable using the 'cookie-validity' option. - -After the user is authenticated, directly, or via the cookie, he issues an HTTP -CONNECT command which results to a direct connection with the VPN. Additionally -the user could connect using UDP and Datagram TLS on a port that is provided -by the server. That connection is authenticated using TLS session resumption and -a master key provided by the server, i.e., it is not really a DTLS 1.0 compliant -connection. - +Please see: +http://www.infradead.org/ocserv/technical.html