On Sat, Apr 20, 2024 at 12:35 PM Peter Tulpen <ptul...@emailn.de> wrote: > Hello,we want to use openconnect to connect to our company network and having > like 2 modes: > - always have a connection to our management server based on a client > certificate, so the management server can scan him: basic connection > - when a user needs resources, let him login via 2FA : user connection > > This could be done with 2 tunnels, but is there a more elegant way, like > always having the basic connection switch to the "user connection" on demand > (and falling back to the basic connection when the "user connection" is gone)
What exactly is wrong with 2 tunnels? This would almost certainly be the most reliable, straightforward, and composable way to implement what you want. Without explicit support for this "mode-switching" IN THE VPN SERVER, the graceful transition and fallback between the 2 tunnels would likely be VERY difficult to implement. Within the OpenConnect client, we have enough trouble ensuring graceful fallback between TLS- and ESP/DTLS-based tunnels of a single ALREADY-AUTHENTICATED logical client session. We regularly discover new quirks and inconsistencies within the supported VPN protocols that make this a challenge. On Mon, Apr 22, 2024 at 6:31 AM Peter Tulpen <ptul...@emailn.de> wrote: > the server is a palo alto prisma I wrote [almost all of] the support for the Palo Alto / GlobalProtect protocol in the OpenConnect *client* (https://www.infradead.org/openconnect/globalprotect.html). However, I know ABSOLUTELY NOTHING about how GlobalProtect *servers* work, or how they're configured… other than what I can infer from the numerous bugs, security holes, and inconsistencies that I've encountered over the years. 😬 > To avoid the issue of having a connection in a connection I hope split > tunneling and clever routing rules should be sufficient Yes, I think you're on the right track here. Setup 2 separate tunnels, and ensure that the routes they require don't overlap or interfere with each other. Daniel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
