IPv6 split tunneling support for Linux

David Woodhouse dwmw2 at infradead.org
Mon Mar 3 15:53:40 EST 2014


On Wed, 2014-02-26 at 10:02 +0000, Tomas Moser wrote:
> 
> Does OpenConnect support IPv6 split tunneling feature or not? If not
> when do you expect it will? I do not understand changelog clearly -
> http://www.infradead.org/openconnect/changelog.html.

Yes, it does. The recent commit you see in the changelog¹ basically just
sends the extra header which *requests* a split tunnel config from the
ASA. Without that, the server wouldn't send the right routing
information.

I'm guessing they did that because Cisco's own client wasn't capable of
doing things properly in the past so it needs an explicit request from a
newer client to enable it.

OpenConnect and vpnc-script have supported split tunnels ever since IPv6
support was added though — it never made any sense to do a half-arsed
job and *not* make it work the same as Legacy IP. It's just that we
didn't realise that we needed to explicitly *tell* the server we weren't
brain-dead.

> Our customer wants to buy Cisco ASA platform but strictly insists on
> AnyConnect supporting IPv6  on Linux platform. Cisco states there is
> NO IPv6 support at all in the latest AnyConnect release 3.1.x for
> Linux. I am looking for an alternative solution.

Cisco's own client is worse than just not supporting IPv6. It actually
*crashes*, in a *setuid* executable (vpnagentd) if you happen to have an
IPv6 address on a local Ethernet interface when you start it up. I
didn't look to see if it was exploitable like their tmpfile races used
to be when I first started on OpenConnect; when it comes to Cisco's
crappy clients I really am beyond caring these days.

> Is there any document summarizing OpenConnect IPv6 support for
> different platforms?

This is the 21st century. Any platform mentioned at
http://www.infradead.org/openconnect/platforms.html has been tested with
IPv6 and not just Legacy IP. What kind of Luddites do you think we
are? :)

-- 
dwmw2

¹ http://git.infradead.org/users/dwmw2/openconnect.git/commit/e9b90e7b3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140303/d9abee26/attachment.bin>


More information about the openconnect-devel mailing list