Problem connecting to VPN

Mon Oct 3 12:10:01 PDT 2016

Well. typically, the 'instruction' to set the default route would be sent by the VPN gateway. You could try to set the default route through the tunnel manually. But you also need to make sure to preserve a host route to the VPN gateway. 

But that doesn't guarantee success. As the university internal network could be dropping traffic that is not internal. You don't have any influence on the routing / security policy that is implemented there. 

-ralph

Sent from my iPhone

> On Oct 1, 2016, at 17:20, Alex Branham <branham at utexas.edu> wrote:
> 
> Thanks for the reply. Is there a way to disable this behavior? In other words, to route all my traffic through the VPN? I tried a few commands with "ip route change ..." but couldn't get anything to work.
> 
> Sorry if this is a really simple question - I know next to nothing about how linux handles internet traffic!
> 
> Alex
> 
> 
> Ralph Schmieder <ralph.schmieder at gmail.com> writes:
> 
>> Apparently, the head-end is set up for split tunneling. Only university subnets (which are listed in X-CSTP-Split-Include headers) are routed through the tunnel and your default route still points to your local gateway.
>> 
>> IMO: works as configured :)
>> 
>>> On Wed, 2016-11-28 at 04:11 GMT+2, Alex Branham wrote:
>>> Thanks. I thought it was supposed to - this portion of the website
>>> indicates that it should, I think? http://www.infradead.org/openconnect/vpnc-script.html
>>> 
>>> This is the output of 'ip route' before running openconnect:
>>> 
>>> default via 192.168.0.1 dev wlp3s0  proto static  metric 600 
>>> 192.168.0.0/24 dev wlp3s0  proto kernel  scope link  src 192.168.0.108  metric 600 
>>> 
>>> and after:
>>> 
>>> default via 192.168.0.1 dev wlp3s0  proto static  metric 600 
>>> 10.0.0.0/8 dev tun0  scope link 
>>> 10.0.0.0/8 dev tun0  scope link  metric 1 
>>> 128.62.0.0/16 dev tun0  scope link 
>>> 128.62.0.0/16 dev tun0  scope link  metric 1 
>>> 128.83.0.0/16 dev tun0  scope link 
>>> 128.83.0.0/16 dev tun0  scope link  metric 1 
>>> 128.83.185.40 dev tun0  scope link 
>>> 128.83.185.40 dev tun0  scope link  metric 1 
>>> 128.83.185.41 dev tun0  scope link 
>>> 128.83.185.41 dev tun0  scope link  metric 1 
>>> 129.116.0.0/16 dev tun0  scope link 
>>> 129.116.0.0/16 dev tun0  scope link  metric 1 
>>> 129.116.67.2 via 192.168.0.1 dev wlp3s0  src 192.168.0.108 
>>> 146.6.0.0/16 dev tun0  scope link 
>>> 146.6.0.0/16 dev tun0  scope link  metric 1 
>>> 172.16.0.0/12 dev tun0  scope link 
>>> 172.16.0.0/12 dev tun0  scope link  metric 1 
>>> 172.29.224.0/19 dev tun0  scope link 
>>> 172.29.224.0/19 dev tun0  scope link  metric 2 
>>> 192.168.0.0/24 dev wlp3s0  proto kernel  scope link  src 192.168.0.108  metric 600 
>>> 198.213.192.0/18 dev tun0  scope link 
>>> 198.213.192.0/18 dev tun0  scope link  metric 1 
>>> 206.76.64.0/18 dev tun0  scope link 
>>> 206.76.64.0/18 dev tun0  scope link  metric 1 
>>> 
>>> The verbose output:
>>> 
>>> POST https://vpn.utexas.edu/
>>> Got HTTP response: HTTP/1.1 200 OK
>>> Content-Type: text/html; charset=utf-8
>>> Transfer-Encoding: chunked
>>> Cache-Control: no-cache
>>> Pragma: no-cache
>>> Connection: Keep-Alive
>>> Date: Wed, 28 Sep 2016 02:08:49 GMT
>>> X-Frame-Options: SAMEORIGIN
>>> X-Aggregate-Auth: 1
>>> HTTP body chunked (-2)
>>> Got CONNECT response: HTTP/1.1 200 OK
>>> X-CSTP-Version: 1
>>> X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
>>> X-CSTP-Address: 172.29.232.73
>>> X-CSTP-Netmask: 255.255.224.0
>>> X-CSTP-Hostname: UTVPN-ASA5585X.its.utexas.edu
>>> X-CSTP-DNS: 128.83.185.41
>>> X-CSTP-DNS: 128.83.185.40
>>> X-CSTP-Lease-Duration: 86400
>>> X-CSTP-Session-Timeout: 86400
>>> X-CSTP-Idle-Timeout: 7200
>>> X-CSTP-Disconnected-Timeout: 7200
>>> X-CSTP-Default-Domain: vpn.utexas.edu
>>> X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
>>> X-CSTP-Split-Include: 128.62.0.0/255.255.0.0
>>> X-CSTP-Split-Include: 128.83.0.0/255.255.0.0
>>> X-CSTP-Split-Include: 129.116.0.0/255.255.0.0
>>> X-CSTP-Split-Include: 146.6.0.0/255.255.0.0
>>> X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
>>> X-CSTP-Split-Include: 198.213.192.0/255.255.192.0
>>> X-CSTP-Split-Include: 206.76.64.0/255.255.192.0
>>> X-CSTP-Keep: true
>>> X-CSTP-Tunnel-All-DNS: false
>>> X-CSTP-Rekey-Time: 1800
>>> X-CSTP-Rekey-Method: new-tunnel
>>> X-CSTP-DPD: disabled
>>> X-CSTP-Keepalive: 20
>>> X-CSTP-MSIE-Proxy-Lockdown: true
>>> X-CSTP-Smartcard-Removal-Disconnect: true
>>> X-CSTP-MTU: 1406
>>> X-CSTP-Routing-Filtering-Ignore: false
>>> X-CSTP-Quarantine: false
>>> X-CSTP-Disable-Always-On-VPN: false
>>> X-CSTP-Client-Bypass-Protocol: false
>>> X-CSTP-TCP-Keepalive: true
>>> X-CSTP-Post-Auth-XML: <elided>
>>> CSTP connected. DPD 0, Keepalive 20
>>> CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1)
>>> Set up DTLS failed; using SSL instead
>>> Connected as 172.29.232.73, using SSL
>>> 
>>> 
>>> David Woodhouse <dwmw2 at infradead.org> writes:
>>> 
>>>>> On Tue, 2016-09-27 at 19:01 -0500, Alex Branham wrote:
>>>>> Thanks for the reply.
>>>>> 
>>>>> I can ping the server but it isn't routing my normal internet traffic through the VPN.
>>>> 
>>>> Is it supposed to? Show openconnect output with '-v', and the output of 'ip route'.
> 
> 
> -- 
> J. Alexander Branham
> PhD Candidate
> Department of Government
> University of Texas at Austin
> www.jabranham.com