On Sat, Jun 2, 2018 at 6:55 PM, Daniel Lenski <dlenski at gmail.com> wrote:
> User's GP VPN with split tunnel:
>
> CISCO_CSTP_OPTIONS=split-include=1.2.3.4/32
> CISCO_DEF_DOMAIN=company.domain.com
> CISCO_SPLIT_INC=3
> CISCO_SPLIT_INC_0_ADDR=10.1.0.11
> CISCO_SPLIT_INC_0_MASK=255.255.255.255
> CISCO_SPLIT_INC_0_MASKLEN=32
> CISCO_SPLIT_INC_1_ADDR=10.1.0.12
> CISCO_SPLIT_INC_1_MASK=255.255.255.255
> CISCO_SPLIT_INC_1_MASKLEN=32
> CISCO_SPLIT_INC_2_ADDR=0.0.0.0
> CISCO_SPLIT_INC_2_MASK=0.0.0.0
> CISCO_SPLIT_INC_2_MASKLEN=0
> INTERNAL_IP4_ADDRESS=10.0.0.99
> INTERNAL_IP4_DNS=10.1.0.11 10.1.0.12
> INTERNAL_IP4_MTU=1326
> INTERNAL_IP4_NETADDR=10.0.0.99
> INTERNAL_IP4_NETMASK=255.255.255.255
> INTERNAL_IP4_NETMASKLEN=32
> VPNGATEWAY=[address that's not in any of the subnets above]
We've done a whole lot more digging here, and haven't figured out a
clear fix, although we've narrowed it down:
- The three split-includes set by the GP VPN are, in this order:
[dns1]/32, [dns2]/32, 0.0.0.0/0 ? the standard vpnc-script *already*
adds routes for the DNS servers, so these are all redundant and should
essentially replicate the behavior of the standard non-split setup.
- With the split variables, the vpnc-script APPEARS TO DEFINITELY
succeed in adding an explicit route to the VPN gateway:
+(/etc/vpnc/vpnc-script:356): set_vpngateway_route(): route add
-host [external IP of VPN server] [normal default route gateway]
- ? but the problem appears to be that SOMEHOW the explicit route to
the VPN gateway is getting overwritten (or maybe not written in the
first place?)
Anyone ever seen a problem like this before? A similar configuration
works perfectly fine in Linux with ip-route.
Dan
