adding support for PAN Globalprotect (SSL+ESP) to Openconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As discussed last month
(http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004010.html),
I've modified openconnect to support Globalprotect VPNs. This is an
SSL+ESP VPN and it has been fairly straightforward to make Openconnect
support it.

I've now been using it successfully for real work for several weeks
and have a couple reports of successful use by others.

Is this a good point to submit patches to add GP support?

I was planning to break down my changes into two parts to make them
easier to review. First, add *SSL-only* support for GP. This is a
pretty self-contained change, requiring only two small patches to the
rest of the OpenConnect code to work correctly:

- Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24:
  http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html

- Unset got_cancel_cmd after reacting to it, as is already done for
got_pause_cmd:
  http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html

Secondly, patches to add ESP support for GP. These require a few more
patches to the existing OpenConnect code to allow as much of the
Juniper ESP code to be reused as possible. Briefly:

* Juniper and GP use completely different "probe packets" to check for
ESP connectivity
* Juniper generates its ESP keys on the client side and then reports
them to the server, while GP does it on the server side and then
reports them to the client
* The ESP and SSL tunnels cannot be simultaneously open with GP;
opening the SSL tunnel kills ESP connectviity. A small change to the
mainloop is needed to make pause/reconnect handle GP ESP correctly.

Thanks,
Dan



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux