Hello! I've just begun using OpenConnect from a Linux server and I have to admit that I was pleasantly surprised that I got things up and running so quickly. As a programmer and not a network engineer, it was easy to get lost in the sea of FooSwan and BarSwan the last time I tried to figure out how to connect to a remote VPN. My customer using Cisco AnyConnect gave me some new avenues to try to "just get connected". You have done great work, here, and I thank you. What is frustrating, though, is that vpnc-script ends up setting-up all of the routes that are suggested by the VPN server. As it happens, I need to contact exactly one port on one host via the VPN, and I don't need DNS or anything like that, so I was hoping there was a way to limit the amount of routing and resolver "damage" that the VPN server's laundry list of routes would do. I did notice that there is a vpnc-script-ssh and the documentation sounds encouraging: use that script instead and then you can use ssh tunnels and such to poke individual connections through the VPN connection. Yay! Unfortunately, when I use vpnc-script-ssh, I get an error saying that the netns command is failing possible due to missing kernel support. Here's my kernel info: Linux dev.chadis.com 2.6.32-312-ec2 #24-Ubuntu SMP Fri Jan 7 18:30:50 UTC 2011 x86_64 GNU/Linux This is on Debian Wheezy (current stable), and I built OpenConnect from source rather than install the Debian package which has something like 10,000 dependent packages including Gnome Streaming Media Framework and a whole bunch of other utter garbage. The build went well after installing some -dev packages and everything else seems to be working just fine. The vpnc-scripts have indeed come from the Debian package repository so I would imagine that they have been customized if necessary for my local environment. If I run "ip netns list" or "ip netns monitor", I don't get any errors. "list" gives no output and "monitor" just sits there, presumably monitoring :) Any ideas of what might be the problem with netns for me? Are there ways to limit what the "standard" vpnc-script will change -- e.g. don't change resolver settings and limit static routes to some particular host or netmask or something? Thanks very much, -chris
