On Mon, Jun 6, 2022 at 1:27 PM Daniel Pou <daniel....@gmail.com> wrote: > > I will give it a shot. The possibly oddball thing about VIA, is the > "hybrid" nature, that it "automatically scans and selects the best, > secure connection to terminate traffic" where it supports IPSec/SSL.
Yes, that's typical marketing fluff/BS for proprietary VPNs. Most likely, it just means that they… (a) do the authentication over HTTPS (b) try to establish a tunnel over ESP-over-UDP (ESP is a component protocol of the IPSec suite) (c) fall back to an SSL/TLS tunnel if ESP-over-UDP doesn't work That's entirely equivalent to how Juniper or GlobalProtect work (https://www.infradead.org/openconnect/juniper.html or https://www.infradead.org/openconnect/globalprotect.html). We shouldn't have too much trouble integrating such a protocol into OpenConnect once you've figured out some of the details. I recently wrote up some documentation on how to analyze proprietary VPN protocols, using tools like mitmproxy: https://www.infradead.org/openconnect/mitm.html Dan PS- All or nearly all client-server/remote-access VPNs work in the same fundamental way. The user-visible details could mostly be described as "bugs" or "annoyances". From my 2020 talk on this (https://datapdx.org/2020/08/28/september-2020-openconnect): - All remote-access VPNs basically work like I’ve just described. - There are many small differences among end-user client software interfaces, which can be very tedious and annoying if you have to use several VPNs. - Under the hood, there are tons of essentially superficial differences in the protocols: formatting of configuration data exchange, packet encapsulation; also some functional details that can affect reliability and versatility. - They have so many common features that it should be possible to write… - Software that can connect to all of them in a way that’s entirely equivalent to the end user. → OpenConnect _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
