Hi! (Sorry for the duplicated answer, hit the wrong button while sitting in a shaky train... :-( ) Am 21.02.2018 um 18:19 schrieb Kevin Cernekee: > On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier > <gernot.hillier at siemens.com> wrote: >> The vpnc-script used by OpenConnect only supports "split include" rules (default >> route unchanged, specific VPN routes added). We add support for Pulse's "split >> exclude" rules (default route to VPN, exclude rules for targets to be connected >> via normal uplink). >> >> For targets specified as split-exclude by the gateway, we add additional routes >> which keep traffic as-is (i.e. separate from tunnel). On platforms only >> providing /sbin/route, we guess that those are reached via default gateway. > > This might not work if the VPN gateway is pushing split-exclude routes > such as "192.168.0.0/16" to let clients access e.g. printers on the > LAN. Yes, I know that this approach will fail in special cases, but I have no idea how this could be implemented if we only have /sbin/route. I don't think manually interpreting routing table is the way to go, so I would need a way to query the system how it would route packets to a certain target. Any ideas? -- Gernot Hillier Siemens AG, Corporate Competence Center Embedded Linux
