testing a new SSL+ESP VPN

Daniel Lenski dlenski at gmail.com
Tue Oct 4 07:13:26 PDT 2016

Hi all,

I've encountered a new flavor of corporate VPN, and I followed some of
the helpful advice given on this list for supporting the Juniper VPN

A bit of work with mitmproxy and Wireshark show me that this one is
very similar to the Juniper VPN which OpenConnect already supports, at
least in the configuration that I have access to:

    1. Client submits a simple HTTPS form with username and password
to https://gateway.company.com/ssl-vpn/login.esp
    2. Server returns a random authentication cookie
    3. Client submits a form with the cookie to
    4. Server returns an XML configuration file, which contains:
        a) The usual routing information
        b) An IPsec configuration section with algorithms and specific
keys and SPIs to use
    4. Client and server stop talking TLS and start communicating via

I would be very glad to add support for this authentication process
VPN to OpenConnect, but first I would like to try to play around with
connecting to it "manually" to verify that I understand its operation
correctly and am not overlooking anything important.

Is there a good way to create a UDP-encapsulated-ESP tunnel using
Linux command line tools, and setup the keys and routing for it
manually to test whether it works properly? Or is there an easy way to
adapt the openconnect source code to do this?


More information about the openconnect-devel mailing list