testing a new SSL+ESP VPN
David Woodhouse
dwmw2 at infradead.org
Sat Oct 8 00:52:55 PDT 2016
On Sat, 2016-10-08 at 01:52 -0500, Daniel Lenski wrote:
> Fair enough :-). It turns out that the stream format in this
> particular case is pretty simple, so I should quit my whining and/or
> whinging.
You don't *have* to stop whinging; I've been doing the Cisco protocol
for about 8 years now and I still haven't stopped whinging about that
(partly because they're still constrained by hardware to doing a
version of the DTLS protocol from before it was even standardised, and
I've had to *add* support for that variant to two crypto libraries).
And I added a whole new set of naughty words to my repertoire when I
did the Juniper protocol :)
> For some reason, the Windows client drops the tunnel connection after
> a few seconds of running it through a (non-transparent) proxy.
> It seems to get stupidly confused as soon as it changes the default route
> and thinks it has lost communication with the proxy.
Perhaps it preserves the specific route to the VPN server... but not to
the proxy? I've had a bug like that in the past...
When there's no proxy (and when the UDP channel is blocked and can't
establish), I assume it stays up?
> I'll start hacking on the OpenConnect code and will try to get the SSL
> tunnel working before ESP.
Great.
> I don't know what the getconfig XML will look like for an IPv6 network
> configuration. A few minutes of googling didn't turn up anything very
> useful.
Running 'strings' on the executable can often be enlightening. Failing
that though, it'll have to be Legacy IP only for now.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161008/d2597d24/attachment.bin>
More information about the openconnect-devel
mailing list