2 <VAR match="VAR_ORIGIN" replace="" />
3 <VAR match="VAR_CVSID" replace=""/>
4 <INCLUDE file="inc/header.tmpl" />
6 <VAR match="VAR_SEL_TECHNICAL" replace="selected" />
7 <PARSE file="menu1.xml" />
9 <INCLUDE file="inc/content.tmpl" />
11 <h2>How the VPN works</h2>
13 <p>The VPN is extremely simple, based almost entirely on the standard
14 HTTPS and <a href="http://www.rfc-editor.org/rfc/rfc4347.txt">DTLS</a>
15 protocols. You connect to the secure web server, authenticate using
16 certificates and/or arbitrary web forms, and you are rewarded with a
17 standard HTTP cookie.</p>
19 <p>You then use this cookie in an HTTP <tt>CONNECT</tt> request, and can
20 then pass traffic over that connection. IP addresses and routing
21 information are passed back and forth in the headers of that
22 <tt>CONNECT</tt> request.</p>
24 <p>Since <a href="http://sites.inka.de/~W1011/devel/tcp-tcp.html">TCP
25 over TCP is very suboptimal</a>, the VPN also attempts to use UDP
26 datagrams, and will only <em>actually</em> pass traffic over the HTTPS
27 connection if that fails. The UDP connectivity is done using Datagram
28 TLS, which is supported by OpenSSL.</p>
30 <h2>DTLS compatibility</h2>
32 <p><i><b>Note: DTLS is optional and not required for basic connectivity, as explained above.</b></i></p>
34 <p>Unfortunately, Cisco used an old version of OpenSSL for their server,
35 which predates the official RFC and has a few differences in the
36 implementation of DTLS.
39 <p>Compatibility support for their "speshul" version of the protocol is
40 in the 0.9.8m and later releases of OpenSSL (and 1.0.0-beta2 and later).
43 <p>If you are using an older version of OpenSSL, DTLS will
44 only work if you apply this patch from OpenSSL CVS:</p>
46 <li><a href="http://cvs.openssl.org/chngview?cn=18037">http://cvs.openssl.org/chngview?cn=18037</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1751&amp;user=guest&amp;pass=guest">RT#1751</a>)</li>
49 For versions older than 0.9.8j, some generic DTLS bug fixes are also required:
51 <li><a href="http://cvs.openssl.org/chngview?cn=17500">http://cvs.openssl.org/chngview?cn=17500</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1703&amp;user=guest&amp;pass=guest">RT#1703</a>)</li>
52 <li><a href="http://cvs.openssl.org/chngview?cn=17505">http://cvs.openssl.org/chngview?cn=17505</a> (OpenSSL <a href="http://rt.openssl.org/Ticket/Display.html?id=1752&amp;user=guest&amp;pass=guest">RT#1752</a>) </li>
54 The username/password for OpenSSL RT is 'guest/guest'
58 <p>Support for Cisco's version of DTLS was included in GnuTLS in June 2012, in
59 <a href="http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=fd5ca1afb">
60 commit fd5ca1af</a> which will be part of GnuTLS 3.1.</p>
62 <p>The same patch will hopefully also be applied to the GnuTLS 3.0.x release branch
63 for 3.0.21, or it can be applied manually from <a href="http://git.infradead.org/users/dwmw2/gnutls.git/commitdiff_plain/436135d727cbfb1673f0c308869a6c15b2e17697">here</a>.</p>
65 <INCLUDE file="inc/footer.tmpl" />