[PATCH] Support Split-Include-IP6 and Split-Exclude-IP6 headers
Jeremy Visser
jeremy at visser.name
Mon Dec 30 04:04:22 EST 2013
G'day,
I was wondering why my VPN (ASA 9.1.x), which is configured with IPv6
split tunnelling, was still only seeing an IPv6 default route with
OpenConnect. Turns out it's a simple fix as most of the work has
already been done.
See attached patch.
The vpnc-script at [0] already supports CISCO_IPV6_SPLIT_INC and friends.
Also process_split_xxclude() in tun.c also supports recognising IPv6
addresses and passing them off into said environment variables.
One missing link was that the "X-CSTP-Full-IPv6-Capability: true" header
was not sent (required for the ASA to send IPv6 split routes).
The other was start_cstp_connection() in cstp.c was assuming that both
IPv4 and IPv6 split routes would be listed in the "Split-Include" /
"Split-Exclude" headers.
In fact, the ASA sends "Split-Include-IP6" / "Split-Exclude-IP6"
headers, e.g.:
X-CSTP-Split-Include: 192.168.1.0/255.255.255.0
X-CSTP-Split-Include: 192.168.2.0/255.255.255.0
X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64
X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64
There is not much need to separate these internally, given that
process_split_xxclude() already assumes they are combined, so it was a
simple matter to just do a little 'or' operator as you will see in the
patch.
Cheers,
Jeremy.
--
[0]
<http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cstp.c.patch
Type: text/x-patch
Size: 1388 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131230/5c5709e5/attachment.bin>
More information about the openconnect-devel
mailing list