Clavister NetWall

[DimitriPapadopoulos]

Have you heard of Clavister NetWall? Appears to be somehow compatible with AnyConnect SSL VPN.

See Clavister (Classic) SSL VPN vs OneConnect (OpenConnect based) SSL VPN.

[dlenski]

Hmmm… no I haven't. Their OneConnect sounds like it might simply be a wrapper around ocserv. I wonder how well they're complying with its license. 🧐

[dlenski]

Do you know of publicly-accessible Clavister servers? What does what-vpn say when pointed at them?

[DimitriPapadopoulos]

No, I haven't found any. Not sure how to find any with help from Google or other search engines.

• OneConnect are the VPN clients.
• NetWall NGFW are the firewalls with “Reliable Secure VPN”.

There is no evidence they use OpenConnect code, client side or server side. They do share the same AnyConnect protocol (or OpenConnect protocol as they call it) and OpenConnect is clearly on their radar:

• Configure the OpenConnect-GUI client towards Clavister NetWall
• Configure the Android OpenConnect client towards Clavister NetWall
• Configure Linux OpenConnect towards Clavister NetWall
• Clavister (Classic) SSL VPN vs OneConnect (OpenConnect based) SSL VPN

It would be nice to be able to use their iOS, Android and Windows OneConnect clients to connect to ocserv servers, since we lack well-maintained clients for these platforms. Unfortunately, it looks like there are some inconsistencies between NetWall and ocserv (which supports the idea the code base is different): https://gitlab.com/openconnect/ocserv/-/issues/485

It would also be nice to test whether OpenConnect can indeed connect to Clavister NetWall appliances.

[DimitriPapadopoulos]

The Clavister OneConnect Android client uses wolfSSL and Apache HttpComponents as far as I can see by looking into the APK file, so it does seem they have rewritten the client at least.

$ unzip -q Clavister\ OneConnect_3.5_Apkpure.xapk
$ 
$ unzip -t config.arm64_v8a.apk | grep -i wolf
    testing: lib/arm64-v8a/libwolfssl.so   OK
    testing: lib/arm64-v8a/libwolfsslwrapper.so   OK
$ 
$ unzip -t com.clavister.oneconnect.apk | grep -i apache/hc
    testing: org/apache/hc/client5/version.properties   OK
    testing: org/apache/hc/core5/version.properties   OK
$