Feature request: Global Protect connection to Internal Gateway
This may be a feature that's goes behond openconnect purpose, but I'll ask anyway as we already investigate it on dlenski github project.
GlobalProtect can be used as an agent to identify the user on internal network, allowing the firewall to give user's rights based on ldap attributes and not on an static ip assignation.
This feature of the GlobalProtect service behave differently from an external connection, and openconnect in his current version stop with an error message:
GlobalProtect login returned connection-type=notunnel (expected tunnel)
Failed to parse server response
Failed to obtain WebVPN cookie
As we understand it, auth-globalprotect.c need to be rewrited to handle the connection-type=notunnel, and then start a different exchange with the globalprotect gateway, providing xml responses that differ from those on external gateway.
Ideal processing for an internal client are:
- Authentication on GlobalProtect Portal
- Verify that he is connecting with an internal IP (parameters retrieved in portal getconfig response)
- Authentication on GlobalProtect Internal Gateway
- Do not create any VPN tunnel and dot not modify the client routing table
- send HIP report periodically as a keep alive
Both external and internal exchange from the windows client are described here: https://pastebin.com/ptbxu42t
I have no idea if those changes are important or not to the code, as I'm not a developer. We figured a way to perform the same identification without GlobalProtect, so I'm not awaiting for this but if someone is willing to implement those changes, I still can help for testing.
Regards