adding support for PAN Globalprotect (SSL+ESP) to Openconnect
Daniel Lenski
dlenski at gmail.com
Sat Dec 24 15:19:00 PST 2016
(Sorry, I stopped watching this list for a bit)
On Tue, Dec 13, 2016 at 3:59 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> I was planning to break down my changes into two parts to make them
>> easier to review. First, add *SSL-only* support for GP. This is a
>> pretty self-contained change, requiring only two small patches to the
>> rest of the OpenConnect code to work correctly:
>>
>> - Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24:
>> http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html
>>
>> - Unset got_cancel_cmd after reacting to it, as is already done for
>> got_pause_cmd:
>> http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html
>
> I've merged these and they'll be in the 7.08 release, which I'm working
> on right now and hoping to push out today unless anything explodes.
Great!
> I'm slightly reticent about merging new protocols but I think it makes
> sense, and your submissions so far have reassured me that you'll do a
> good job of maintaining it.
>
> However, I think I do need to lumber you with an additional hurdle
> before we merge your new protocol after 7.08 — let's add a new API to
> check whether libopenconnect supports a given protocol, or to enumerate
> the protocols it supports. Currently it's just a hard-coded "if it's
> 7.05 or newer, it supports Juniper too", and I don't think we want that
> to continue. Let's do something explicit instead, and things like
> NetworkManager-openconnect can base their decisions on that.
For the protocol enumeration API, should the enumeration function
*just* return a linked list of protocol names
({"anyconnect","nc","gp"}) or will it need to return something more
complex with hints about possible authentication schemes, etc.? Since
all three of the current protocols use HTTPS for authentication and
HTTPS or <something UDP based> for the transport, I think a plain list
should suffice… but I'm not that familiar with the more exotic
authentication possibilities for Juniper and may be overlooking
something.
We had also discussed the possibility of "--protocol=autodetect" or
something to that effect. Is that still something you'd want to have
ready in order for a merge? I do not currently have access to any
Juniper VPN, so I might have trouble testing it thoroughly.
Thanks,
Dan
More information about the openconnect-devel
mailing list