Pulse Connect Secure

Support for Pulse Connect Secure was added to OpenConnect in June 2019, for the 8.04 release. It has also been known as Junos Pulse and Ivanti Pulse Connect Secure, as its corporate ownership has changed.

In most cases, Pulse servers also support the older Juniper Network Connect protocol. The Pulse and Juniper protocols are extremely different from each other, and both extremely convoluted; the clearest improvement in the Pulse protocol is that it supports IPv6.

Pulse mode is requested by adding --protocol=pulse to the command line:

  openconnect --protocol=pulse vpn.example.com

The TCP transport for Pulse Connect Secure works over IF-T/TLS, first using EAP (and EAP-TTLS if certificates are being used) for authentication and then passing traffic over IF-T messages over the same transport. Just as with the older Juniper protocol, the UDP transport is ESP.

Authentication

The authentication cookies are compatible with the Juniper mode, which means that external tools like juniper-vpn-py should be usable with OpenConnect in Pulse mode too.

Host Checker

Support for Host Checker, also known as TNCC, has not yet been investigated and implemented for Pulse mode. The Juniper support may suffice for some users.

Connectivity

Once authentication is complete, the VPN connection can be established. Both Legacy IP and IPv6 should be working. Many Pulse VPNs will not provide full IPv6 connectivity unless a recent version of the official Pulse client for Windows is spoofed (see comment on GitLab issue #254. Recent versions of OpenConnect will do this automatically, but for older versions it will need to be specified manually. For example:

  ./openconnect --protocol=pulse --useragent "Pulse-Secure/22.2.1.1295" --os=win

Quirks and Issues

Some Pulse VPNs may request a client certificate but not actually require one. If you are trying to authenticate to such a VPN, and running into strange errors about unrecognized packet types, then mimicking a very old version of the official Pulse client software may help resolve the issue:

  ./openconnect --protocol=pulse --useragent "Pulse-Secure/3.0.0.0"

If you encounter this issue, please tell us about it so we can gather more information to solve it for everyone.