Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is fairly straightforward once you spot the "13" at the end of the first DTLS packet. Without that, we can *send* data and even do keepalives but the worker process on the server would crash the moment it has actual *packets* to send back to us. Like fairly much every other SSL VPN using anonymous DTLS, they don't cope well with that first DTLS packet (or the response to it) being lost. We don't get anything back if we resend it. And if we send a keepalive that *might* elicit a response... or might cause them to tear down the connection if they haven't seen the initial auth packet yet. So... we send only the auth packet first. If we don't see a response we send the auth packet *and* a keepalive in quick succession. If we start seeing IP packets (which includes the keepalive as that's Legacy IP protocol #0xff), we jump to DTLS_ESTABLISHED state too., We also need to send a 'dtls off' packet when we want it to switch back to sending over TCP, much like the oNCP queue_esp_control(). Signed-off-by: David Woodhouse <dwmw2@infradead.org>
- Loading branch information