adding support for PAN Globalprotect (SSL+ESP) to Openconnect
Daniel Lenski
dlenski at gmail.com
Sun Nov 6 13:55:17 PST 2016
As discussed last month
(http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004010.html),
I've modified openconnect to support Globalprotect VPNs. This is an
SSL+ESP VPN and it has been fairly straightforward to make Openconnect
support it.
I've now been using it successfully for real work for several weeks
and have a couple reports of successful use by others.
Is this a good point to submit patches to add GP support?
I was planning to break down my changes into two parts to make them
easier to review. First, add *SSL-only* support for GP. This is a
pretty self-contained change, requiring only two small patches to the
rest of the OpenConnect code to work correctly:
- Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24:
http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html
- Unset got_cancel_cmd after reacting to it, as is already done for
got_pause_cmd:
http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html
Secondly, patches to add ESP support for GP. These require a few more
patches to the existing OpenConnect code to allow as much of the
Juniper ESP code to be reused as possible. Briefly:
* Juniper and GP use completely different "probe packets" to check for
ESP connectivity
* Juniper generates its ESP keys on the client side and then reports
them to the server, while GP does it on the server side and then
reports them to the client
* The ESP and SSL tunnels cannot be simultaneously open with GP;
opening the SSL tunnel kills ESP connectviity. A small change to the
mainloop is needed to make pause/reconnect handle GP ESP correctly.
Thanks,
Dan
More information about the openconnect-devel
mailing list