The vpnc-script used by OpenConnect only supports "split include" rules (default
route unchanged, specific VPN routes added). We add support for Pulse's "split
exclude" rules (default route to VPN, exclude rules for targets to be connected
via normal uplink).
Tested on OpenSUSE 42.2 using ip and route command. IPv6 part completely
untested.
Signed-off-by: Gernot Hillier <gernot.hill...@siemens.com>
---
vpnc-script | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/vpnc-script b/vpnc-script
index d04bba9..50ce252 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -818,6 +818,18 @@ do_connect() {
elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
set_default_route
fi
+ if [ -n "$CISCO_SPLIT_EXC" ]; then
+ i=0
+ UPLINKGW=`get_uplink_gw`
+ UPLINKDEV=`get_uplink_dev`
+ while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+ set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
"$UPLINKDEV" "$UPLINKGW"
+ i=`expr $i + 1`
+ done
+ fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
@@ -838,6 +850,18 @@ do_connect() {
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
set_ipv6_default_route
fi
+ if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+ # untested
+ i=0
+ UPLINKGW=`get_uplink_gw`
+ UPLINKDEV=`get_uplink_dev`
+ while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+ set_ipv6_network_route "$NETWORK" "$NETMASKLEN"
"$UPLINKDEV" "$UPLINKGW"
+ i=`expr $i + 1`
+ done
+ fi
if [ -n "$INTERNAL_IP4_DNS" ]; then
$MODIFYRESOLVCONF
@@ -866,6 +890,18 @@ do_disconnect() {
else
reset_default_route
fi
+ if [ -n "$CISCO_SPLIT_EXC" ]; then
+ i=0
+ UPLINKGW=`get_uplink_gw`
+ UPLINKDEV=`get_uplink_dev`
+ while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+ eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+ del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
"$UPLINKDEV" "$UPLINKGW"
+ i=`expr $i + 1`
+ done
+ fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
@@ -884,6 +920,18 @@ do_disconnect() {
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
reset_ipv6_default_route
fi
+ if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+ i=0
+ UPLINKGW=`get_uplink_gw`
+ UPLINKDEV=`get_uplink_dev`
+ while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+ del_ipv6_network_route "$NETWORK" "$NETMASKLEN"
"$UPLINKDEV" "$UPLINKGW"
+ i=`expr $i + 1`
+ done
+ fi
+
del_vpngateway_route
--
2.12.3
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
