Hi all, Has anyone successfully used the official vpnc-script on macOS with a split-tunnel VPN? (git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script) The reason I'm asking is because of an issue reported by multiple users with openconnect+GlobalProtect: https://github.com/dlenski/openconnect/issues/93 These users have found that the official vpnc-script fails to add an explicit route to the local gateway, before creating the VPN split-tunnel routes, causing all networking to fail? there's no route to the VPN gateway, and all other traffic is routed via that gateway. :-P Dominik Strebel (cc'ed) was able to narrow down the problem further: * A recent openconnect and vpnc-script works fine with any AnyConnect VPN (that *does not* use split tunneling), but shows the above issue with a GlobalProtect VPN that *does* use split tunneling. * I've seen the environment variables set for the VPNs he's testing it against. Everything looks perfectly reasonable in both cases. The only meaningful differences that I see are that: (a) the GP VPN includes a "split"-tunnel with a default route (0.0.0.0/0) (b) the GP VPN has a /32 netmask (pretty normal with split-tunnel, I think) while the AnyConnect VPN has a /24 netmask. I suspect that there may be something which doesn't work quite right in the set_vpngateway_route() function in the vpnc-script, but I don't have a macOS system on which to test it. Anyone else have experience with success/failure with openconnect + vpnc-script + macOS + split-tunnel? Thanks, Dan User's GP VPN with split tunnel: CISCO_CSTP_OPTIONS=split-include=1.2.3.4/32 CISCO_DEF_DOMAIN=company.domain.com CISCO_SPLIT_INC=3 CISCO_SPLIT_INC_0_ADDR=1.2.3.4 CISCO_SPLIT_INC_0_MASK=255.255.255.255 CISCO_SPLIT_INC_0_MASKLEN=32 CISCO_SPLIT_INC_1_ADDR=5.6.7.8 CISCO_SPLIT_INC_1_MASK=255.255.255.255 CISCO_SPLIT_INC_1_MASKLEN=32 CISCO_SPLIT_INC_2_ADDR=0.0.0.0 CISCO_SPLIT_INC_2_MASK=0.0.0.0 CISCO_SPLIT_INC_2_MASKLEN=0 INTERNAL_IP4_ADDRESS=10.0.0.99 INTERNAL_IP4_DNS=10.1.0.11 10.1.0.12 INTERNAL_IP4_MTU=1326 INTERNAL_IP4_NETADDR=10.0.0.99 INTERNAL_IP4_NETMASK=255.255.255.255 INTERNAL_IP4_NETMASKLEN=32 VPNGATEWAY=[address that's not in any of the subnets above] User's AnyConnect VPN without split tunnel: CISCO_BANNER=Welcome CISCO_CSTP_OPTIONS=X-CSTP-Version=1 CISCO_DEF_DOMAIN=company.domain.com INTERNAL_IP4_ADDRESS=10.0.0.99 INTERNAL_IP4_DNS=10.1.0.11 10.1.0.12 INTERNAL_IP4_MTU=1322 INTERNAL_IP4_NETADDR=10.0.0.0 INTERNAL_IP4_NETMASK=255.255.255.0 INTERNAL_IP4_NETMASKLEN=24 VPNGATEWAY=[address not in the subnet above]
