SSL-only Juniper VPN that supports SSL DEFLATE compression?

Daniel Lenski dlenski at gmail.com
Wed Jan 11 20:01:20 PST 2017 

I am doing battle with a Juniper VPN that only allows SSL connections.
It works with OpenConnect, but it's very slow.

The official Windows client is slightly faster, and reports that it is
using "Transport: SSL" with "Compression: DEFLATE".

It appears that OpenConnect v7.08 doesn't currently support oNCP
compression. I was trying to figure out if this could quickly be
hacked in. I took a look at the config TLV values shown by openconnect
for my VPN:

    # openconnect --prot=nc -C DSID=abc123 vpn.server.com --dump -vvv

    Read 3 bytes of SSL record
    Read 344 bytes of SSL record
    Got KMP message 301 of length 322
    Got KMP message 301 of size 322
    Unknown TLV group 3 attr 1 len 1: 00
    Unknown TLV group 3 attr 1 len 2: 01
    Received SSL compression: DEFLATE
    Received split include route 172.20.134.38/255.255.255.255
    Received split include route 172.19.65.83/255.255.255.255
    Received split include route 172.19.65.84/255.255.255.255
    Received split include route 172.19.65.85/255.255.255.255
    Received split include route 172.19.65.86/255.255.255.255
    Received split include route 172.19.65.87/255.255.255.255
    Received split include route 172.19.65.88/255.255.255.255
    Received split include route 172.19.65.89/255.255.255.255
    Received split include route 172.19.65.90/255.255.255.255
    Received split exclude route x.x.x.x/255.255.255.0
    Received MTU 1400 from server
    Received DNS server x.x.x.1
    Received DNS server x.x.x.2
    Received DNS search domain company.com
    Unknown TLV group 2 attr 3 len 4: 01 00 00 00
    Received internal IP address x.x.x.x
    Received netmask 255.255.255.255
    Received internal gateway address x.x.x.x
    Set up DTLS failed; using SSL instead

One value stands out to me:

    Unknown TLV group 3 attr 2 len 1: 01

In the other logs I've found (e.g.
http://lists.infradead.org/pipermail/openconnect-devel/2015-April/002878.html)
this field has a value of 0.

Does anyone else use a Juniper VPN that supports *SSL* DEFLATE
compression? Does it return the same config value? Any hint that I'm
on the right track would be appreciated.

I haven't yet figured out any way to induce the server to respond with
DEFLATE-compressed packets.

Thanks,
Dan

More information about the openconnect-devel mailing list