What is Annyconnect? How does it work?
I am looking for a deep down technical explanation of how it works.
My understanding is its an SSL VPN and works as follows:
- Anyconnect creates a TLS session to the configured remote servers, authenticate the user and fetch some network details like the IP address
- sets a local tunnel interface with that IP
- configures the routing on the host to point all traffic to the tunnel.
Assuming this is correct, how does the tunnel interface packets get sent over the TLS connection ?
One of the mentioned advantages of SSL VPN over IPSec VPN is that the former doesn't need a client software. If Cisco Anyconnect has to be installed anyway is there still an advantage with SSL VPNs ?
The answer to your question - What is Annyconnect is that the common descriptions of "SSL VPNs" conflate three different things:
VPNs which use TLS or DTLS as their base protocol. (Examples: AnyConnect, SSTP, arguably even OpenVPN.) These still require a client just like any other protocol does – there's nothing magic about the usage of SSL/TLS here, and no great advantage (except perhaps passing through IDS systems unnoticed).
VPNs which, regardless of protocol being used, launch a JavaWS or ClickOnce applet directly from a website. Now that's still technically a client, just one that doesn't have to be explicitly installed. I don't get why people call this kind "SSL VPNs" (is it because the client runs from a HTTPS website?), but they do it anyway.
Finally, "VPNs" which aren't actually IP-layer VPNs but merely web-based gateways (proxies; portals) to internal webapps. These don't require a dedicated client because they don't actually intercept IP packets from the OS – they work like ordinary websites that you visit over HTTPS (therefore SSL).
So what makes things confusing is that the same Cisco AnyConnect product can fit any of these descriptions: its protocol is based on DTLS; it provides a Java-applet client; and it provides a webapp gateway in addition to traditional VPN.
But that doesn't mean the same mode fits all three descriptions at once: e.g. if you want to use the system-wide VPN mode, it still requires a client that runs on the local computer, creates a virtual interface, and so on.