[PATCH v3 1/3] Support split-exclude rules from Pulse gateway
Gernot Hillier
gernot.hillier at siemens.com
Wed Feb 21 09:31:27 PST 2018
Hi!
(Sorry for the duplicated answer, hit the wrong button while sitting in
a shaky train... :-( )
Am 21.02.2018 um 18:19 schrieb Kevin Cernekee:
> On Wed, Feb 21, 2018 at 8:46 AM, Gernot Hillier
> <gernot.hillier at siemens.com> wrote:
>> The vpnc-script used by OpenConnect only supports "split include" rules (default
>> route unchanged, specific VPN routes added). We add support for Pulse's "split
>> exclude" rules (default route to VPN, exclude rules for targets to be connected
>> via normal uplink).
>>
>> For targets specified as split-exclude by the gateway, we add additional routes
>> which keep traffic as-is (i.e. separate from tunnel). On platforms only
>> providing /sbin/route, we guess that those are reached via default gateway.
>
> This might not work if the VPN gateway is pushing split-exclude routes
> such as "192.168.0.0/16" to let clients access e.g. printers on the
> LAN.
Yes, I know that this approach will fail in special cases, but I have no
idea how this could be implemented if we only have /sbin/route. I don't
think manually interpreting routing table is the way to go, so I would
need a way to query the system how it would route packets to a certain
target.
Any ideas?
--
Gernot Hillier
Siemens AG, Corporate Competence Center Embedded Linux
More information about the openconnect-devel
mailing list