Am 21.02.2018 um 18:19 schrieb Kevin Cernekee: > On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier > <gernot.hillier at siemens.com> wrote: >> The vpnc-script used by OpenConnect only supports "split include" rules (default >> route unchanged, specific VPN routes added). We add support for Pulse's "split >> exclude" rules (default route to VPN, exclude rules for targets to be connected >> via normal uplink). >> >> For targets specified as split-exclude by the gateway, we add additional routes >> which keep traffic as-is (i.e. separate from tunnel). On platforms only >> providing /sbin/route, we guess that those are reached via default gateway. > > This might not work if the VPN gateway is pushing split-exclude routes > such as "192.168.0.0/16" to let clients access e.g. printers on the > LAN. > > It might work better for cases where the client is behind a firewall > (such as GFW) and doesn't want to tunnel "internal WAN" traffic > through the VPN. > > It may run into trouble on multi-homed systems, or systems that have > to deal with network changes. > > I have had some luck using a dedicated routing table with RTN_THROW > routes to implement split include + exclude, although plumbing that > into vpnc-script could be a challenge. > >> Please note that IPv6 variant is completely untested as I have no >> access to according testbeds. > > Should be able to set up a $5/mo Linode VM to run ocserv and request a > /56 prefix. It won't exercise the Pulse code paths, but for routing > that probably doesn't matter. > -- Mit freundlichen Gr??en, Gernot Hillier Siemens AG, Corporate Technology, CT RDA ITP SES-DE Corporate Competence Center Embedded Linux Otto-Hahn-Ring 6, 81730 M?nchen, Germany Tel.: +49 89 636-634004, Fax: -45450
