G'day, I was wondering why my VPN (ASA 9.1.x), which is configured with IPv6 split tunnelling, was still only seeing an IPv6 default route with OpenConnect. Turns out it's a simple fix as most of the work has already been done. See attached patch. The vpnc-script at [0] already supports CISCO_IPV6_SPLIT_INC and friends. Also process_split_xxclude() in tun.c also supports recognising IPv6 addresses and passing them off into said environment variables. One missing link was that the "X-CSTP-Full-IPv6-Capability: true" header was not sent (required for the ASA to send IPv6 split routes). The other was start_cstp_connection() in cstp.c was assuming that both IPv4 and IPv6 split routes would be listed in the "Split-Include" / "Split-Exclude" headers. In fact, the ASA sends "Split-Include-IP6" / "Split-Exclude-IP6" headers, e.g.: X-CSTP-Split-Include: 192.168.1.0/255.255.255.0 X-CSTP-Split-Include: 192.168.2.0/255.255.255.0 X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64 X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64 There is not much need to separate these internally, given that process_split_xxclude() already assumes they are combined, so it was a simple matter to just do a little 'or' operator as you will see in the patch. Cheers, Jeremy. -- [0] <http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script> -------------- next part -------------- A non-text attachment was scrubbed... Name: cstp.c.patch Type: text/x-patch Size: 1388 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131230/5c5709e5/attachment.bin>
