no-route a.k.a X-CSTP-Split-Exclude configure on ocserv not working with openconnect cli/gui
Kee K Y CHEN
keekychen at gmail.com
Mon Apr 9 01:37:17 PDT 2018
Dear Author:
recently I met one problem: no-route a.k.a X-CSTP-Split-Exclude
configure on ocserv not working with openconnect in both gui and cli
My Enviroment:
Client:
Windows 7 64-bit, OpenConnect-GUI version is 1.5.{1,2,3}, with
OpenConnect version v7.08
Server:
ocserv 0.10.11/ocserv 0.11.8
with Cisco compatible mode enabled
In ocserv's configuration, the “no-route” command defined which IP
segment will go from local gateway instead of VPN gateway(split
tunnels client side).
the ocserv configure file may looks like:
...
"no-route = 1.1.0.0/255.255.0.0"
"no-route = 2.2.0.0/255.255.0.0"
...
Normally, after user dialed vpn, the vpn client will trigger to
rewrite local host route(s) point to local gateway based on “no-route”
configuration as split tunnels.
However this is feature not working on OpenConnect, but works on Cisco
anyconnect clients.
In Log, I can see info from server do pushed to local
2018-03-27 12:59:05 | c74 | X-CSTP-Split-Exclude: 1.1.0.0/255.255.0.0
2018-03-27 12:59:05 | c74 | X-CSTP-Split-Exclude: 2.2.0.0/255.255.0.0
But no local host "routing set command such as route add/delete" been
found in OpenConnect log for above two subnet.
“cmd -> route print” also confirm only 0.0.0.0 with smaller metric in
local routing table but no detailed split routing entries.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.28 21 <- local Lan
0.0.0.0 0.0.0.0 172.16.2.1 172.16.2.66 2 <- VPN net with
lower metric
Do you mind to check why X-CSTP-Split-Exclude not triggering local
routing commands rewrite local routing table?
Thank you.
More information about the openconnect-devel
mailing list