On Tue, 2014-12-02 at 13:39 +0100, Nikos Mavrogiannopoulos wrote: > On Tue, Dec 2, 2014 at 1:04 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > > So yeah, this looks like a sane approach. > > Is it forbidden to set X-CSTP-DynDNS on a full-tunnel configuration? > > Not currently, but I should do it. By full tunnel I suppose you mean > providing a defaultroute right? Right. In that case, your local routing setup on the client is still going to be sending everything except the *old* server IP down the tunnel. Including packets to the new server IP. So that's never going to work. (This changes if we switch to using SO_BINDTODEVICE like Android does, instead of playing with the routing table. But that's complex.) You also can't use X-CSTP-DynDNS if the DNS configuration you are pushing to the client is asking it to use a DNS server *on* the VPN for looking up the hostname of the server. Since you say it's working for you, you evidently aren't doing that, which is nice for you. But let's make sure it's a forbidden combination too. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141202/df84e6b5/attachment-0001.bin>
