testing a new SSL+ESP VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 4, 2016 at 9:16 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> The ESP parts of OpenConnect are *mostly* generic, without any Juniper-
> specific bits in them. The main case I see where that's *not* true is
> where we use Juniper-specific numbering in vpninfo->esp_enc and
> vpninfo->esp_hmac, and the trick where we send zero-length data packets
> as a probe, and expect those back from the server before we consider
> the connection 'established' over UDP.

The "probe" packets used by OpenConnect are definitely Juniper-specific.

I was trying to think about how to make these configurable so that
GlobalProtect can use the same ESP mainloop, and pretty much the rest
of esp.c, without affecting Juniper support.

My thought was to add two more proto-configurable functions,
vpninfo->proto->udp_send_probes() and
vpninfo->proto->udp_catch_probe(). The former would send whatever UDP
probe packet is needed for the protocol, while the latter would detect
incoming packets that match the return probe.

Does that seem like the right approach?

Thanks,
Dan



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux