No subject

Peter Tulpen ptulpen at emailn.de
Mon Apr 22 06:30:57 PDT 2024 

Hello,
unfortunately the server is a  palo alto prisma
the connection should be on when the computer is online (since we want to use that channel e.g. for version checking and patching)
To avoid the issue of having a connection in a connection I hope split tunneling and clever routing rules should be sufficient

--- Ursprüngliche Nachricht ---
Von: Dimitri Papadopoulos Orfanos <dimitri.papadopoulos at cea.fr>
Datum: 22.04.2024 13:42:04
An: Peter Tulpen <ptulpen at emailn.de>, openconnect-devel at lists.infradead.org
Betreff: Re:

> Hi,
>
> Will you use ocserv as the VPN?
>
> This really sounds like two distinct VPN connections. I cannot think of
> a more elegant way to describe this situation.
>
> 1. Permanent VPN connection to the management server. Should that VPN
> connection be "always" on when i) a specific user starts a session
> or
> ii) when the computer is online? The exact configuration depends on the
> answer to the previous question.
>
> 2. User-initiated connection.
>
> You might want to avoid tunnelling connection 1 in the tunnel of
> connection 2, but that can be part of the ocserv configuration. The
> configuration could use a different "group" for either use case
> and
> different "route" and "no-route" options.
>
> Dimitri Papadopoulos
>
> Le 20/04/2024 à 21:35, Peter Tulpen a écrit :
> > Hello,we want to use openconnect to connect to our company network and
> having like 2 modes:
> > - always have a connection to our management server based on a client
> certificate, so the management server can scan him: basic connection
> > - when a user needs resources, let him login via 2FA : user connection
>
> >
> >
> > This could be done with 2 tunnels, but is there a more elegant way,
> like always having the basic connection switch to the "user connection"
> on demand (and falling back to the basic connection when the "user connection"
> is gone)
> > I think about either a kind of service or something in networkmanager
>
> >
> >
> > Best regards, Peter
> >
> >
> >
> >
> >
> > _______________________________________________
> > openconnect-devel mailing list
> > openconnect-devel at lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/openconnect-devel
>

More information about the openconnect-devel mailing list