Hi all, I've encountered a new flavor of corporate VPN, and I followed some of the helpful advice given on this list for supporting the Juniper VPN (http://openconnect-devel.infradead.narkive.com/ZPtB8Gyt/compatibility-with-juniper-ssl-vpn). A bit of work with mitmproxy and Wireshark show me that this one is very similar to the Juniper VPN which OpenConnect already supports, at least in the configuration that I have access to: 1. Client submits a simple HTTPS form with username and password to https://gateway.company.com/ssl-vpn/login.esp 2. Server returns a random authentication cookie 3. Client submits a form with the cookie to https://gateway.company.com/ssl-vpn/getconfig.esp 4. Server returns an XML configuration file, which contains: a) The usual routing information b) An IPsec configuration section with algorithms and specific keys and SPIs to use 4. Client and server stop talking TLS and start communicating via UDP-encapsulated-ESP I would be very glad to add support for this authentication process VPN to OpenConnect, but first I would like to try to play around with connecting to it "manually" to verify that I understand its operation correctly and am not overlooking anything important. Is there a good way to create a UDP-encapsulated-ESP tunnel using Linux command line tools, and setup the keys and routing for it manually to test whether it works properly? Or is there an easy way to adapt the openconnect source code to do this? Thanks, Dan
