Aruba VIA VPN support

[Daniel Lenski]

On Mon, Jun 6, 2022 at 1:27 PM Daniel Pou <daniel.pou at gmail.com> wrote:
>
> I will give it a shot. The possibly oddball thing about VIA, is the
> "hybrid" nature, that it "automatically scans and selects the best,
> secure connection to terminate traffic" where it supports IPSec/SSL.

Yes, that's typical marketing fluff/BS for proprietary VPNs. Most
likely, it just means that they…

(a) do the authentication over HTTPS
(b) try to establish a tunnel over ESP-over-UDP (ESP is a component
protocol of the IPSec suite)
(c) fall back to an SSL/TLS tunnel if ESP-over-UDP doesn't work

That's entirely equivalent to how Juniper or GlobalProtect work
(https://www.infradead.org/openconnect/juniper.html or
https://www.infradead.org/openconnect/globalprotect.html).

We shouldn't have too much trouble integrating such a protocol into
OpenConnect once you've figured out some of the details. I recently
wrote up some documentation on how to analyze proprietary VPN
protocols, using tools like mitmproxy:
https://www.infradead.org/openconnect/mitm.html

Dan

PS- All or nearly all client-server/remote-access VPNs work in the
same fundamental way. The user-visible details could mostly be
described as "bugs" or "annoyances". From my 2020 talk on this
(https://datapdx.org/2020/08/28/september-2020-openconnect):

- All remote-access VPNs basically work like I’ve just described.
- There are many small differences among end-user client software
interfaces, which can be very tedious and annoying if you have to use
several VPNs.
- Under the hood, there are tons of essentially superficial
differences in the protocols: formatting of configuration data
exchange, packet encapsulation; also some functional details that can
affect reliability and versatility.
- They have so many common features that it should be possible to write…
- Software that can connect to all of them in a way that’s entirely
equivalent to the end user.
→ OpenConnect