Connecting to a VPN without installation of client software

Question

I must sometimes write software to establish a socket with a particular server residing within a Cisco VPN. I simply write my software as if there were no VPN (making use of the standard sockets library). When it is time to run this program, I manually connect to the VPN using the client software installed on my computer, then run the program itself.

However, it would be desirable to write the software to take advantage of a specialized socket library capable of communicating over the VPN directly, without the use of any installed client software.

Here is some Java code illustrating the functionality I would like:

String vpnHost = ...;
String vpnUser = ...;
String vpnPassword = ...;
VPNConnection vpnConnection = new CiscoVPNConnection(vpnHost, vpnUser, vpnPassword);

String serverHost = ...;
int serverPort = ...;
Socket socket = vpnConnection.openSocket(serverHost, serverPort);

Is it possible to establish such a connection to a VPN without installing any client software?

Answer 1

I use the vpnc package on linux in order to connect to my company's Cisco VPN, since we don't have a compatible linux client. vpnc is written in c though, so you'll have to perform a port.

Answer 2

This depends on how the VPN server is configured.

Most VPN products use IPSEC, a standard protocol for encrypting TCP/IP connections. Most products also use ISAKMP, the Internet Security Architecture Key Management Protocol, also a standard, to set up the session. Source code for IPSEC and ISAKMP is readily available, and may already be installed on your system.

Now for the bad news: although everything I've already mentioned is standard, the authentication schemes that can be used with ISAKMP are almost all proprietary. The two "standard" authentication schemes are pre-shared key, and X.509 certificates. If the VPN server is configured to permit either of these then you have a chance. Otherwise, you cannot really use the VPN, as the protocol is truly proprietary and almost impossible to reverse engineer as the authentication conversation is encrypted.

A far easier path: do you really need a VPN, or is there a way you can tunnel over SSL? I think Java supports SSL; you can just create the secure socket you need and go from there.

If you know what client system you're using, then consider shelling out to invoke the Cisco VPN client for that system.

Otherwise, you'll have to replicate what a VPN client does. The VPN client performs authentication and session setup with ISAKMP, and installs the result into the kernel to create the VPN connection. ISAKMP implementations are available; you need only figure out what authentication is being used and try to set that up. At which point you will have written your own VPN client.