On Tue, Oct 4, 2016 at 9:16 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > The ESP parts of OpenConnect are *mostly* generic, without any Juniper- > specific bits in them. The main case I see where that's *not* true is > where we use Juniper-specific numbering in vpninfo->esp_enc and > vpninfo->esp_hmac, and the trick where we send zero-length data packets > as a probe, and expect those back from the server before we consider > the connection 'established' over UDP. The "probe" packets used by OpenConnect are definitely Juniper-specific. I was trying to think about how to make these configurable so that GlobalProtect can use the same ESP mainloop, and pretty much the rest of esp.c, without affecting Juniper support. My thought was to add two more proto-configurable functions, vpninfo->proto->udp_send_probes() and vpninfo->proto->udp_catch_probe(). The former would send whatever UDP probe packet is needed for the protocol, while the latter would detect incoming packets that match the return probe. Does that seem like the right approach? Thanks, Dan
