On Sat, Jun 2, 2018 at 6:55 PM, Daniel Lenski <dlenski at gmail.com> wrote: > User's GP VPN with split tunnel: > > CISCO_CSTP_OPTIONS=split-include=1.2.3.4/32 > CISCO_DEF_DOMAIN=company.domain.com > CISCO_SPLIT_INC=3 > CISCO_SPLIT_INC_0_ADDR=10.1.0.11 > CISCO_SPLIT_INC_0_MASK=255.255.255.255 > CISCO_SPLIT_INC_0_MASKLEN=32 > CISCO_SPLIT_INC_1_ADDR=10.1.0.12 > CISCO_SPLIT_INC_1_MASK=255.255.255.255 > CISCO_SPLIT_INC_1_MASKLEN=32 > CISCO_SPLIT_INC_2_ADDR=0.0.0.0 > CISCO_SPLIT_INC_2_MASK=0.0.0.0 > CISCO_SPLIT_INC_2_MASKLEN=0 > INTERNAL_IP4_ADDRESS=10.0.0.99 > INTERNAL_IP4_DNS=10.1.0.11 10.1.0.12 > INTERNAL_IP4_MTU=1326 > INTERNAL_IP4_NETADDR=10.0.0.99 > INTERNAL_IP4_NETMASK=255.255.255.255 > INTERNAL_IP4_NETMASKLEN=32 > VPNGATEWAY=[address that's not in any of the subnets above] We've done a whole lot more digging here, and haven't figured out a clear fix, although we've narrowed it down: - The three split-includes set by the GP VPN are, in this order: [dns1]/32, [dns2]/32, 0.0.0.0/0 ? the standard vpnc-script *already* adds routes for the DNS servers, so these are all redundant and should essentially replicate the behavior of the standard non-split setup. - With the split variables, the vpnc-script APPEARS TO DEFINITELY succeed in adding an explicit route to the VPN gateway: +(/etc/vpnc/vpnc-script:356): set_vpngateway_route(): route add -host [external IP of VPN server] [normal default route gateway] - ? but the problem appears to be that SOMEHOW the explicit route to the VPN gateway is getting overwritten (or maybe not written in the first place?) Anyone ever seen a problem like this before? A similar configuration works perfectly fine in Linux with ip-route. Dan