[PATCH] Support Split-Include-IP6 and Split-Exclude-IP6 headers

Jeremy Visser jeremy at visser.name
Mon Dec 30 04:04:22 EST 2013


I was wondering why my VPN (ASA 9.1.x), which is configured with IPv6
split tunnelling, was still only seeing an IPv6 default route with
OpenConnect.  Turns out it's a simple fix as most of the work has
already been done.

See attached patch.

The vpnc-script at [0] already supports CISCO_IPV6_SPLIT_INC and friends.

Also process_split_xxclude() in tun.c also supports recognising IPv6
addresses and passing them off into said environment variables.

One missing link was that the "X-CSTP-Full-IPv6-Capability: true" header
was not sent (required for the ASA to send IPv6 split routes).

The other was start_cstp_connection() in cstp.c was assuming that both
IPv4 and IPv6 split routes would be listed in the "Split-Include" /
"Split-Exclude" headers.

In fact, the ASA sends "Split-Include-IP6" / "Split-Exclude-IP6"
headers, e.g.:

X-CSTP-Split-Include-IP6: 2001:db8:1000:1001::/64
X-CSTP-Split-Include-IP6: 2001:db8:1000:1002::/64

There is not much need to separate these internally, given that
process_split_xxclude() already assumes they are combined, so it was a
simple matter to just do a little 'or' operator as you will see in the


-------------- next part --------------
A non-text attachment was scrubbed...
Name: cstp.c.patch
Type: text/x-patch
Size: 1388 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20131230/5c5709e5/attachment.bin>

More information about the openconnect-devel mailing list