openconnect and general traffic

Hi,

I've installed openconnect and got it working. The last step was pointing it to the same script that vpnc uses. Once I did that traffic then went through the VPN however I only want traffic for specific IP addresses to go through the VPN and all other traffic to go through my regular Internet connection..

Can someone tell me how to do this? I imagine it could be done with iptables but so far references to tun0 and so on that I have tried haven't worked. Having said that this is the first time I have ever tried using iptables so I'm sure it's just my lack of understanding that's the cause.

I'm attaching the vpnc script that makes it all go although anyone with Linux probably already has it.
vpnc-script
LVL 1
RegProctorAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
> ... want traffic for specific IP addresses ...
route add -host spe.ci.fic.ip gw ip.of.von.dev
route add -host other.spci.fic.ip gw ip.of.von.dev
route add default gw you.default.gw.ip

# you need to adapt the commands and options to the route command of your distribution
0
 
ArneLoviusCommented:
What Distro are you running it on ?

Is Split Tunneling enabled on the ASA ? Does plit tunneling work if you use the Cisco client ?

You shouldn't need to do anything with iptables.
0
 
RegProctorAuthor Commented:
The distro is OpenSuSE 11.4
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ArneLoviusCommented:
I have just tested connecting to an ASA running 8.2.5 from an Ubuntu 12.04 client using OpenConnect  3.15 and Network Manager OpenConnect 0.9.4  from the Ubuntu Repos, and when I connect to the ASA, the configured split tunnel routes are correctly assigned.

I did not have to do anything with manual route statements or iptables

Is Split Tunneling enabled on the ASA ?
Does split tunneling work if you use the Cisco client ?

What version are you running ?
Have you tried the Cisco client for Linux ?
Did you install from source ? or from rpm ?

What version is the ASA running ?


Or, are you trying to bypass a security policy by trying to do split tunneling when it is not enabled ?
0
 
RegProctorAuthor Commented:
Is Split Tunneling enabled on the ASA ?
I don't know what an ASA is.

Does split tunneling work if you use the Cisco client ?
The Cisco client is problematic which is why I went to openconnect.

What version are you running ?
Of what? openconnect - I'm traveling right now and can't look that up but it will be one of the latest versions.

Have you tried the Cisco client for Linux ?
See above.

Did you install from source ? or from rpm ?
rpm

What version is the ASA running ?
I don't know what an ASA is. The other end however I have no control over since it's controlled by a university.
0
 
ArneLoviusCommented:
A Cisco ASA is a firewall/VPN concentrator that you are probably connecting to, however you could also be connecting to a Cisco Router.

If you are running 11.4 and installed from RPM, you are probably not running the latest version of OpenConnect, you can check the version with YAST

What problems did you have with the Cisco client?

Are you able to try the Cisco client on a Windows install ?

I would however guess that split tunneling is not enabled on the VPN profile that you are using. The VPN profile is configured on the Cisco ASA/Cisco router that you are connecting to.
0
 
RegProctorAuthor Commented:
If you are running 11.4 and installed...

I know it won't be the latest, however, I remember it to be new enough where I don't see versions being any sort of an issue.

What problems did you have with the Cisco client?

It's not relevant, it did checks that stopped it from starting, openconnect I can turn off the problem setting, Cisco I can't because of the way their IT set it up on the server end.

Are you able to try the Cisco client on a Windows install ?
Yes.

I would however guess that split tunneling is not enabled on the VPN profile that you are using. The VPN profile is configured on the Cisco ASA/Cisco router that you are connecting to.

Yes, but I can probably control what I need on my end with the route commands that ahoffmann showed. I'll test that when I get back from my travels.
0
 
RegProctorAuthor Commented:
Hi ahoffmann,

Here's what I eventually did. I took what you showed me for route and put it in vpnc_script. Basically I commented out the calls in it to set_default_route & reset_default_route and added below each call: set_routes_in_tunnel & reset_routes_in_tunnel.

Then it was just matter of setting route commands in each and it worked like a charm.

One thing I am uncertain about is what's difference between route and iptables. To me they both are just ways to set routes so why have two? And, does one have priority over the other of there is a conflict or are they two ways of looking at the same thing?
0
 
ahoffmannConnect With a Mentor Commented:
iptables does the firewalling
route does the routing of (TCP/)IP packets on layer 2, nomen est omen

this means that if you look top-down (OUTPUT): iptables desides if a packet will be transmitted at all
and if you look bottom-ip (INPUT): route desides to which device the packet gets routed and then iptables accepts or blocks the packet
0
 
RegProctorAuthor Commented:
For anyone who needs to tackle this here's what I eventually had to do:

Generate some modifying code for route table & resolv.conf. However the routing code won't work until connected so after generating the .sh file that runs and makes the changes I call it as a background process and it's very first line is a few secs. delay before the rest can execute using the sleep command. This allows the connection to complete before making the changes and it's been working perfectly for days now.
0
 
RegProctorAuthor Commented:
One last question. To make it all work consistently I had to change the metric for tun0 from 1 to 2. my ifconfig won't do it (some do) so I tried with route but couldn't get the command right. I ended up downloading ifmetric and made the change with the following command:

opt/ifmetric tun0 2

It would be nice however to get the command right to do so with route, can anyone show me how I would do that? Here's the two lines (two ending with tun0) in my route table that would need to changed (shown as already changed):

10.xxx.xxx.0      *             255.255.255.0   U     2      0        0 tun0
192.xxx.xxx.0    *              255.255.255.0   U     1      0        0 eth0
default         192.168.xxx.0   0.0.0.0         UG    0      0        0 eth0
default         *               0.0.0.0         U     2      0        0 tun0
0
 
ahoffmannCommented:
sorry, I'm not used to ifmetric
0
All Courses

From novice to tech pro — start learning today.