openconnect routing issue, Cisco ASA SSL VPN
Mathew Crane
mathew.crane at gmail.com
Thu Nov 24 13:21:03 EST 2011
I am trying to connect remotely to my company's resources via their
Cisco VPN. They offer .p12 SSL-based ASA gateways that I can
successfully connect to and navigate company resources, access email,
etc. However, I am not able to navigate to resources located outside
of the company intranet while connected; for example, google.com or
en.wikipedia.org are unreachable and I receive '503 Gateway' errors
when navigating to external URLS. I am also unable to split tunnel
with this connection using network-manager-openconnect (the infamous
'Use this connection only for resources on its network' option). Using
openconnect from CLI with the default vpnc vpnc-script yields same
results. However, when I use the Cisco VPN client in windows, I am
able to browse the internet just fine through their connection so I
know it's a routing issue in Linux.
Main operating system: Xubuntu 11.10. Tested in Kubuntu 11.10, Ubuntu
11.10, Ubuntu 10.10
Installed packages: openconnect, network-manager-openconnect,
network-manager-openconnect-gnome. Network Manager is ver. 0.9
BEFORE (numerically, zeroconf route removed for clarity)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
AFTER
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
172.28.48.0 0.0.0.0 255.255.240.0 U 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
<VPN gw> 192.168.1.1 255.255.255.255 UGH 0 0 0 eth2
Here are my windows routes:
BEFORE connecting using vpn client:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.140 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.140 266
192.168.1.140 255.255.255.255 On-link 192.168.1.140 266
192.168.1.255 255.255.255.255 On-link 192.168.1.140 266
192.168.58.0 255.255.255.0 On-link 192.168.58.1 276
192.168.58.1 255.255.255.255 On-link 192.168.58.1 276
192.168.58.255 255.255.255.255 On-link 192.168.58.1 276
192.168.195.0 255.255.255.0 On-link 192.168.195.1 276
192.168.195.1 255.255.255.255 On-link 192.168.195.1 276
192.168.195.255 255.255.255.255 On-link 192.168.195.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.140 266
224.0.0.0 240.0.0.0 On-link 192.168.195.1 276
224.0.0.0 240.0.0.0 On-link 192.168.58.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.140 266
255.255.255.255 255.255.255.255 On-link 192.168.195.1 276
255.255.255.255 255.255.255.255 On-link 192.168.58.1 276
===========================================================================
Persistent Routes:
None
AFTER:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.140 10
0.0.0.0 0.0.0.0 172.28.48.1 172.28.49.218 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.28.48.0 255.255.240.0 On-link 172.28.49.218 266
172.28.49.218 255.255.255.255 On-link 172.28.49.218 266
172.28.63.255 255.255.255.255 On-link 172.28.49.218 266
192.168.1.0 255.255.255.0 On-link 192.168.1.140 266
192.168.1.0 255.255.255.0 172.28.48.1 172.28.49.218 266
192.168.1.1 255.255.255.255 On-link 192.168.1.140 100
192.168.1.140 255.255.255.255 On-link 192.168.1.140 266
192.168.1.140 255.255.255.255 172.28.48.1 172.28.49.218 266
192.168.1.255 255.255.255.255 On-link 192.168.1.140 266
192.168.1.255 255.255.255.255 172.28.48.1 172.28.49.218 276
192.168.58.0 255.255.255.0 On-link 192.168.58.1 276
192.168.58.0 255.255.255.0 172.28.48.1 172.28.49.218 276
192.168.58.1 255.255.255.255 On-link 192.168.58.1 276
192.168.58.1 255.255.255.255 172.28.48.1 172.28.49.218 276
192.168.58.255 255.255.255.255 On-link 192.168.58.1 276
192.168.58.255 255.255.255.255 172.28.48.1 172.28.49.218 276
192.168.195.0 255.255.255.0 On-link 192.168.195.1 276
192.168.195.0 255.255.255.0 172.28.48.1 172.28.49.218 276
192.168.195.1 255.255.255.255 On-link 192.168.195.1 276
192.168.195.1 255.255.255.255 172.28.48.1 172.28.49.218 276
192.168.195.255 255.255.255.255 On-link 192.168.195.1 276
<vpn gateway> 255.255.255.255 192.168.1.1 192.168.1.140 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.140 266
224.0.0.0 240.0.0.0 On-link 192.168.195.1 276
224.0.0.0 240.0.0.0 On-link 192.168.58.1 276
224.0.0.0 240.0.0.0 On-link 172.28.49.218 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.140 266
255.255.255.255 255.255.255.255 On-link 192.168.195.1 276
255.255.255.255 255.255.255.255 On-link 192.168.58.1 276
255.255.255.255 255.255.255.255 On-link 172.28.49.218 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.28.48.1 1
===========================================================================
Can someone who is more gifted at routing than me please explain why
the route is failing once connecting to the VPN? Should I be
attempting to recreate my Windows routes on the Linux machine? In the
meantime I will attempt to connect manually and play around with
default routes
More information about the openconnect-devel
mailing list