For *Nix systems and their users, FirePass does not use any proprietary "voodoo" to generate SSL VPN tunnels. The underlying technology is nothing more complex than PPP over SSL, coupled with unique session-based authentication. Internally, F5 has used this to our advantage for testing purposes and employee remote access from Unix-style systems not officially supported by FirePass. Over the years, we have developed several very robust and complex testing suites and end-user access tools using OpenSSL and PPPD.

For this month's Tech Tip, we took the foundation of our internal tools and turned it into a publicly available Perl script. This fully-functional example performs the 3 steps necessary to log into a FirePass and create a SSL VPN tunnel. Using this as a basis, it would be trivial to add prompting for sensitive information, in-depth error handling, automatic route configuration, intelligent management of PPPD, etc., etc... the sky's the limit!

We're providing this script in the hopes that it will be useful as an educational tool, and a good starting point for that custom project you've been dreaming of. We highly recommend playing with it in a testing environment before using in production.

The script uses some basic UNIX tools, detailed here in the video, as well as in the comments in the source code, to allow a connection to be established with the FirePass without any client, using PPPD and OpenSSL. By passing a series of properly formatted HTTP requests to the Firepass, we can not only establish that we are authenticated users (using a valid username and password), but also request an SSL VPN connection.  All without opening a browser once.

While there are some limitations to this simplified approach, such as pre-login sequences being skipped, there are some very interesting possibilities as well. The very fact that it is completely clientless is intriguing in and of itself.


In case you missed the links in-line above, here they are:

Check out the Video to get some more detail about what’s going on.

Get the source and play with it yourself.
Note: The file is named “SSL VPN Perl Script for FirePass Login” and is available under the Security API section of the page.