testing a new SSL+ESP VPN
Daniel Lenski
dlenski at gmail.com
Mon Oct 24 09:03:18 PDT 2016
On Tue, Oct 4, 2016 at 9:16 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> The ESP parts of OpenConnect are *mostly* generic, without any Juniper-
> specific bits in them. The main case I see where that's *not* true is
> where we use Juniper-specific numbering in vpninfo->esp_enc and
> vpninfo->esp_hmac, and the trick where we send zero-length data packets
> as a probe, and expect those back from the server before we consider
> the connection 'established' over UDP.
The "probe" packets used by OpenConnect are definitely Juniper-specific.
I was trying to think about how to make these configurable so that
GlobalProtect can use the same ESP mainloop, and pretty much the rest
of esp.c, without affecting Juniper support.
My thought was to add two more proto-configurable functions,
vpninfo->proto->udp_send_probes() and
vpninfo->proto->udp_catch_probe(). The former would send whatever UDP
probe packet is needed for the protocol, while the latter would detect
incoming packets that match the return probe.
Does that seem like the right approach?
Thanks,
Dan
More information about the openconnect-devel
mailing list