[PATCH v3 1/3] Support split-exclude rules from Pulse gateway
Gernot Hillier
gernot.hillier at siemens.com
Wed Feb 21 09:21:26 PST 2018
Am 21.02.2018 um 18:19 schrieb Kevin Cernekee:
> On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier
> <gernot.hillier at siemens.com> wrote:
>> The vpnc-script used by OpenConnect only supports "split include" rules (default
>> route unchanged, specific VPN routes added). We add support for Pulse's "split
>> exclude" rules (default route to VPN, exclude rules for targets to be connected
>> via normal uplink).
>>
>> For targets specified as split-exclude by the gateway, we add additional routes
>> which keep traffic as-is (i.e. separate from tunnel). On platforms only
>> providing /sbin/route, we guess that those are reached via default gateway.
>
> This might not work if the VPN gateway is pushing split-exclude routes
> such as "192.168.0.0/16" to let clients access e.g. printers on the
> LAN.
>
> It might work better for cases where the client is behind a firewall
> (such as GFW) and doesn't want to tunnel "internal WAN" traffic
> through the VPN.
>
> It may run into trouble on multi-homed systems, or systems that have
> to deal with network changes.
>
> I have had some luck using a dedicated routing table with RTN_THROW
> routes to implement split include + exclude, although plumbing that
> into vpnc-script could be a challenge.
>
>> Please note that IPv6 variant is completely untested as I have no
>> access to according testbeds.
>
> Should be able to set up a $5/mo Linode VM to run ocserv and request a
> /56 prefix. It won't exercise the Pulse code paths, but for routing
> that probably doesn't matter.
>
--
Mit freundlichen Grüßen,
Gernot Hillier
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux
Otto-Hahn-Ring 6, 81730 München, Germany
Tel.: +49 89 636-634004, Fax: -45450
More information about the openconnect-devel
mailing list