As discussed last month (http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004010.html), I've modified openconnect to support Globalprotect VPNs. This is an SSL+ESP VPN and it has been fairly straightforward to make Openconnect support it. I've now been using it successfully for real work for several weeks and have a couple reports of successful use by others. Is this a good point to submit patches to add GP support? I was planning to break down my changes into two parts to make them easier to review. First, add *SSL-only* support for GP. This is a pretty self-contained change, requiring only two small patches to the rest of the OpenConnect code to work correctly: - Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24: http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html - Unset got_cancel_cmd after reacting to it, as is already done for got_pause_cmd: http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html Secondly, patches to add ESP support for GP. These require a few more patches to the existing OpenConnect code to allow as much of the Juniper ESP code to be reused as possible. Briefly: * Juniper and GP use completely different "probe packets" to check for ESP connectivity * Juniper generates its ESP keys on the client side and then reports them to the server, while GP does it on the server side and then reports them to the client * The ESP and SSL tunnels cannot be simultaneously open with GP; opening the SSL tunnel kills ESP connectviity. A small change to the mainloop is needed to make pause/reconnect handle GP ESP correctly. Thanks, Dan
