Problem connecting to VPN
Alex Branham
branham at utexas.edu
Sat Oct 1 08:20:58 PDT 2016
Thanks for the reply. Is there a way to disable this behavior? In other words, to route all my traffic through the VPN? I tried a few commands with "ip route change ..." but couldn't get anything to work.
Sorry if this is a really simple question - I know next to nothing about how linux handles internet traffic!
Alex
Ralph Schmieder <ralph.schmieder at gmail.com> writes:
> Apparently, the head-end is set up for split tunneling. Only university subnets (which are listed in X-CSTP-Split-Include headers) are routed through the tunnel and your default route still points to your local gateway.
>
> IMO: works as configured :)
>
> On Wed, 2016-11-28 at 04:11 GMT+2, Alex Branham wrote:
>> Thanks. I thought it was supposed to - this portion of the website
>> indicates that it should, I think? http://www.infradead.org/openconnect/vpnc-script.html
>>
>> This is the output of 'ip route' before running openconnect:
>>
>> default via 192.168.0.1 dev wlp3s0 proto static metric 600
>> 192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.108 metric 600
>>
>> and after:
>>
>> default via 192.168.0.1 dev wlp3s0 proto static metric 600
>> 10.0.0.0/8 dev tun0 scope link
>> 10.0.0.0/8 dev tun0 scope link metric 1
>> 128.62.0.0/16 dev tun0 scope link
>> 128.62.0.0/16 dev tun0 scope link metric 1
>> 128.83.0.0/16 dev tun0 scope link
>> 128.83.0.0/16 dev tun0 scope link metric 1
>> 128.83.185.40 dev tun0 scope link
>> 128.83.185.40 dev tun0 scope link metric 1
>> 128.83.185.41 dev tun0 scope link
>> 128.83.185.41 dev tun0 scope link metric 1
>> 129.116.0.0/16 dev tun0 scope link
>> 129.116.0.0/16 dev tun0 scope link metric 1
>> 129.116.67.2 via 192.168.0.1 dev wlp3s0 src 192.168.0.108
>> 146.6.0.0/16 dev tun0 scope link
>> 146.6.0.0/16 dev tun0 scope link metric 1
>> 172.16.0.0/12 dev tun0 scope link
>> 172.16.0.0/12 dev tun0 scope link metric 1
>> 172.29.224.0/19 dev tun0 scope link
>> 172.29.224.0/19 dev tun0 scope link metric 2
>> 192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.108 metric 600
>> 198.213.192.0/18 dev tun0 scope link
>> 198.213.192.0/18 dev tun0 scope link metric 1
>> 206.76.64.0/18 dev tun0 scope link
>> 206.76.64.0/18 dev tun0 scope link metric 1
>>
>> The verbose output:
>>
>> POST https://vpn.utexas.edu/
>> Got HTTP response: HTTP/1.1 200 OK
>> Content-Type: text/html; charset=utf-8
>> Transfer-Encoding: chunked
>> Cache-Control: no-cache
>> Pragma: no-cache
>> Connection: Keep-Alive
>> Date: Wed, 28 Sep 2016 02:08:49 GMT
>> X-Frame-Options: SAMEORIGIN
>> X-Aggregate-Auth: 1
>> HTTP body chunked (-2)
>> Got CONNECT response: HTTP/1.1 200 OK
>> X-CSTP-Version: 1
>> X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
>> X-CSTP-Address: 172.29.232.73
>> X-CSTP-Netmask: 255.255.224.0
>> X-CSTP-Hostname: UTVPN-ASA5585X.its.utexas.edu
>> X-CSTP-DNS: 128.83.185.41
>> X-CSTP-DNS: 128.83.185.40
>> X-CSTP-Lease-Duration: 86400
>> X-CSTP-Session-Timeout: 86400
>> X-CSTP-Idle-Timeout: 7200
>> X-CSTP-Disconnected-Timeout: 7200
>> X-CSTP-Default-Domain: vpn.utexas.edu
>> X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
>> X-CSTP-Split-Include: 128.62.0.0/255.255.0.0
>> X-CSTP-Split-Include: 128.83.0.0/255.255.0.0
>> X-CSTP-Split-Include: 129.116.0.0/255.255.0.0
>> X-CSTP-Split-Include: 146.6.0.0/255.255.0.0
>> X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
>> X-CSTP-Split-Include: 198.213.192.0/255.255.192.0
>> X-CSTP-Split-Include: 206.76.64.0/255.255.192.0
>> X-CSTP-Keep: true
>> X-CSTP-Tunnel-All-DNS: false
>> X-CSTP-Rekey-Time: 1800
>> X-CSTP-Rekey-Method: new-tunnel
>> X-CSTP-DPD: disabled
>> X-CSTP-Keepalive: 20
>> X-CSTP-MSIE-Proxy-Lockdown: true
>> X-CSTP-Smartcard-Removal-Disconnect: true
>> X-CSTP-MTU: 1406
>> X-CSTP-Routing-Filtering-Ignore: false
>> X-CSTP-Quarantine: false
>> X-CSTP-Disable-Always-On-VPN: false
>> X-CSTP-Client-Bypass-Protocol: false
>> X-CSTP-TCP-Keepalive: true
>> X-CSTP-Post-Auth-XML: <elided>
>> CSTP connected. DPD 0, Keepalive 20
>> CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1)
>> Set up DTLS failed; using SSL instead
>> Connected as 172.29.232.73, using SSL
>>
>>
>> David Woodhouse <dwmw2 at infradead.org> writes:
>>
>>> On Tue, 2016-09-27 at 19:01 -0500, Alex Branham wrote:
>>>> Thanks for the reply.
>>>>
>>>> I can ping the server but it isn't routing my normal internet traffic through the VPN.
>>>
>>> Is it supposed to? Show openconnect output with '-v', and the output of 'ip route'.
--
J. Alexander Branham
PhD Candidate
Department of Government
University of Texas at Austin
www.jabranham.com
More information about the openconnect-devel
mailing list