adding support for PAN Globalprotect (SSL+ESP) to Openconnect

David Woodhouse dwmw2 at
Tue Dec 13 03:59:50 PST 2016

On Sun, 2016-11-06 at 13:55 -0800, Daniel Lenski wrote:
> As discussed last month
> (,
> I've modified openconnect to support Globalprotect VPNs. This is an
> SSL+ESP VPN and it has been fairly straightforward to make Openconnect
> support it.
> I've now been using it successfully for real work for several weeks
> and have a couple reports of successful use by others.
> Is this a good point to submit patches to add GP support?
> I was planning to break down my changes into two parts to make them
> easier to review. First, add *SSL-only* support for GP. This is a
> pretty self-contained change, requiring only two small patches to the
> rest of the OpenConnect code to work correctly:
> - Handle IPv4 route specified as either or
> - Unset got_cancel_cmd after reacting to it, as is already done for
> got_pause_cmd:

I've merged these and they'll be in the 7.08 release, which I'm working
on right now and hoping to push out today unless anything explodes.

I'm slightly reticent about merging new protocols but I think it makes
sense, and your submissions so far have reassured me that you'll do a
good job of maintaining it.

However, I think I do need to lumber you with an additional hurdle
before we merge your new protocol after 7.08 — let's add a new API to
check whether libopenconnect supports a given protocol, or to enumerate
the protocols it supports. Currently it's just a hard-coded "if it's
7.05 or newer, it supports Juniper too", and I don't think we want that
to continue. Let's do something explicit instead, and things like
NetworkManager-openconnect can base their decisions on that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list