> Ivanti Connect Secure release 8.0 and later supports Pulse client access
> to the IPv6 corporate network using VPN Tunneling Connection Profile
> features.
In order to enable IPv6 support, while not misinforming the server about its
identity to an unnecessary disagree, OpenConnect should therefore include an
official-looking prefix ("Pulse-Secure/9.0.3.1667 " for now) in front of its
default user-agent string.
Signed-off-by: Daniel Lenski <email address hidden>
Newer Pulse servers can disable their ESP protocol layering malpractice
See b4f50f8bd5da7e6ac926ddd5095501edbc204cd0 for the way that the Pulse ESP
tunnel is mangled. In brief, if the Pulse ESP tunnel is running over IPvX,
then it will only transport tunnelled packets of address family IPvX;
tunnelled packets of IPvY must go over the TLS/TCP tunnel.
In addition to being a complete inversion of the abstraction of a protocol
with independent layers:
- This results in poor performance for tunnelled IPvY packets (TCP-over-TCP)
- Our original implementation of this caused a regression for the
Juniper/NC ESP tunnel (fixed in 3d1ec6e0a126d4b9fdd18473558cf816d2045b76).
If the server sends a "tokeninfo-style" 2FA request (`ret=N,…,tokeninfo=…`)
with the special value `tokeninfo=ftm_push`, then it means that it
can (optionally!) use mobile-device "push"-based authentication instead of
having the user enter a token code.
If (and only if) the user leaves the token code blank, we must (1) remove
`magic` from the response and (2) add `ftmpush=1`, in order to trigger the
correct response.
This also adds a "type_2fa=ftmpush" mode to our fake Fortinet server, and
simulates this option in our tests.
The timeout command (from coreutils) can replace the more complex
job-control-based approach which we current use to limit the execution time
of the Trojan binary (`cstub`).
Signed-off-by: Andy Teijelo Pérez <email address hidden>
Signed-off-by: Daniel Lenski <email address hidden>