Juniper/NC ESP rekey fix
This should fix #322 (closed). This was an immensely tricky issue to identify and solve. Many thanks to @john508 for his patient logging, testing, and bisecting.
This came down to a subtle combination of 2 problems, described further in #322 (comment 702122197).
First, a bug:
-
The code for Juniper/Pulse 'dontsend' added in b4f50f8b caused IPv6 packets to get sent over the Juniper oNCP/TLS channel in a completely mangled form, thereby confusing the server and making it not respond to subsequent ESP rekey packets sent over the oNCP/TLS channel.
The fix is to use this code path only for the Pulse protocol, not for the Juniper protocol. Juniper cannot do ESP-over-IPv6 at all, and cannot send tunneled IPv6 packets at all (neither via ESP-over-IPv4, nor via oNCP/TLS).
Second, we introduced a subtle regression against a Juniper server behavior which we weren't previously aware of:
-
Juniper servers apparently don't always resend the IP address in a configuration packet, if that configuration packet is for rekey/reconnection only.
To address this, we need to add a special case for Juniper to the install_vpn_opts() function, which was added in 3d845bc9.