testing a new SSL+ESP VPN

[David Woodhouse]

On Sat, 2016-10-08 at 01:52 -0500, Daniel Lenski wrote:
> Fair enough :-). It turns out that the stream format in this
> particular case is pretty simple, so I should quit my whining and/or
> whinging.

You don't *have* to stop whinging; I've been doing the Cisco protocol
for about 8 years now and I still haven't stopped whinging about that
(partly because they're still constrained by hardware to doing a
version of the DTLS protocol from before it was even standardised, and
I've had to *add* support for that variant to two crypto libraries).

And I added a whole new set of naughty words to my repertoire when I
did the Juniper protocol :)

> For some reason, the Windows client drops the tunnel connection after
> a few seconds of running it through a (non-transparent) proxy.
>  It seems to get stupidly confused as soon as it changes the default route
> and thinks it has lost communication with the proxy.

Perhaps it preserves the specific route to the VPN server... but not to
the proxy? I've had a bug like that in the past...

When there's no proxy (and when the UDP channel is blocked and can't
establish), I assume it stays up?

> I'll start hacking on the OpenConnect code and will try to get the SSL
> tunnel working before ESP.

Great.

> I don't know what the getconfig XML will look like for an IPv6 network
> configuration. A few minutes of googling didn't turn up anything very
> useful.

Running 'strings' on the executable can often be enlightening. Failing
that though, it'll have to be Legacy IP only for now.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161008/d2597d24/attachment.bin>