Add DTLS support

[kayrus]

@jocado , can you test the DTLS support and tell me whether it works for you?
The config file should have the dtls: true option enabled.
Alternatively please provide me with debug logs (don't forget to mask credentials and upload the logs to https://gist.github.com).

[jocado]

@kayrus Sure, not sure about logs but testing at least should be fine. Just setting up to test.

[kayrus]

@jocado

$ gof5 -h
Usage of gof5:
  -close-session
        Close HTTPS VPN session on exit
  -debug
        Show debug logs
  -password string
    
  -select
        Select a server from available F5 servers
  -server string
    
  -session string
        Reuse a session ID
  -username string
    
  -version
        Show version and exit cleanly

Adding -debug will print verbose logs

[jocado]

Yes, I understand that! I mean I may not be able to submit them :) [ unless I can be very sure about the contents ]

[jocado]

@kayrus

After verifying the client works without DTLS [ I hadn't actually got round to trying it out yet ], which it did, I then tried with DTLS.

It didn't work. It waited Connecting to ... and eventually failed with:

failed to dial foo.bar.com:4433: handshake error: context deadline exceeded

I did a packet capture with gof5 and the official f5 client for comparison, and found the issue quite quickly.
The official client is using DTLS1.0, whereas gof5 is using DTLS1.2

When I took a look at the code, I saw that the DTLS library only supports DTSL1.2 : https://github.com/pion/dtls#excluded-features

It looks like F5 have only recently started supporting DTLS1.2, but should be available to use as of last October. I've asked the team responsible for device if we plan on enable DTSL1.2 any time soon, Am awaiting a response, and will let you know when I am in a position to test it.

One other point. I noticed in the returned XML from the gateway, <tunnel_dtls>1</tunnel_dtls> . I was wondering if you had any concrete info on what that represents, is it DTLS version or just that it's supported ?

[kayrus]

@jocado can you share both official client and gof5 DTLS traffic dump before they send PPP packets? Or send it to my email? (you can find it in git log)

[jocado]

@kayrus I'm afraid I do have to be quite careful about what I can share because of security policy etc, I hope you understand.

If you tell me what info you are looking for, perhaps I can check for you without providing the actual captures.

[kayrus]

@jocado I don't know what I'm looking for. I never worked with DTLS and I don't know the actual data format being transferred between F5 client and server. In this situation you can try to modify the code yourself and perform tests.
You can also try to test this package: https://github.com/pixelbender/go-dtls

[jocado]

@kayrus I would be happy to try and get it working, however it looks like the current DTLS library is more maintained and has more contributors. Also, DTLS1.0 is based on TLS1.1. Taking all that info account IMO it's probably better to wait until I, or someone else, can test it on a gateway that support it.

Unfortunately, it looks like that won't be me in the short term, but I would hope at some point this year our device will support DTLS1.2, at which point I'd be happy to come back to this.

I will also post back on the issue in the other project where you found me, and see if anyone else can help test.