On Thu, 2015-01-01 at 10:29 +0000, David Woodhouse wrote: > A few people have been asking about supporting Juniper SSL VPN in > OpenConnect, and there are others like Vyatta which might also be > relevant. > > I was originally a bit reluctant to support other VPNs in OpenConnect ? > applying the Unix philosophy of "do one thing, and do it well." > However, I've mostly changed my mind. The Cisco protocol-specific parts > of OpenConnect are probably only about 10% of it now, surrounded by all > the rest of the infrastructure you need to make a viable VPN client on > all platforms under the sun ? tun device handling, HTTP and SOCKS proxy > support with NTLM/Kerberos/Digest/Basic authentication and libproxy for > discovery, certificate handling with PKCS#11 and TPM support, OTP > support for software and hardware tokens, etc. I'm not sure I like that. What is juniper SSL VPN? Is it a protocol worth implementing or is yet another unstudied protocol which may be insecure? As it is now openconnect is both a protocol and program. Both are known to be reasonably secure. I wouldn't like openconnect at some point to transparently negotiate pptp for me. Said that, I'd like the current openconnect protocol to be better, and standardized, and it is one of my goals this year to write a draft description of the protocol, possibly enhancing it as well by eliminating the hacks from it, like the openssl string negotiation, and the explicitly transferred DTLS key. regards, Nikos
