Split routing? That's where you tell the VPN software to only route these addresses but leave the other ones alone. The short version is, you put a script into /etc/vpnc/—let's call it /etc/vpnc/foo-vpnc-script—that includes these lines:
#!/bin/sh # this effectively disables changes to /etc/resolv.conf # DON'T DO THAT export INTERNAL_IP4_DNS= CISCO_SPLIT_INC=2 CISCO_SPLIT_INC_0_ADDR=10.0.0.0 CISCO_SPLIT_INC_0_MASK=255.0.0.0 CISCO_SPLIT_INC_0_MASKLEN=8 CISCO_SPLIT_INC_0_PROTOCOL=0 CISCO_SPLIT_INC_0_SPORT=0 CISCO_SPLIT_INC_0_DPORT=0 CISCO_SPLIT_INC_1_ADDR=172.16.0.0 CISCO_SPLIT_INC_1_MASK=255.240.0.0 CISCO_SPLIT_INC_1_MASKLEN=12 CISCO_SPLIT_INC_1_PROTOCOL=0 CISCO_SPLIT_INC_1_SPORT=0 CISCO_SPLIT_INC_1_DPORT=0 . /etc/vpnc/vpnc-scriptThat's right, /etc/vpnc/vpnc-script looks at those variables, and runs route(8) with the appropriate parameters. Alert readers will note that of the rfc1918 addresses, I left out the 192.168.0.0/16 range. That's my home network, which I don't want routed.
The other thing is, you need a configuration file in /etc/vpnc/; let's call it "foo.conf", which you'd fill in something like this:
IPSec gateway <gateway name/addr> IPSec ID <secret info> IPSec secret <more secret info> Xauth username <your userID> Script /etc/vpnc/foo-vpnc-scriptThen you can say something like $ sudo vpnc foo.conf; when you're done, your routing table ought to look something like this
collin@p3:~> netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 <unchanged> 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tun0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.16.0.0 0.0.0.0 255.240.0.0 U 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 <your-vpn-gw> <unchanged> 255.255.255.255 UGH 0 0 0 eth0 collin@p3:~>Much nicer than all the complexity of my earlier post.
No comments:
Post a Comment