I want to use VPN and LAN access simultaneously (using local printers, SMB shares, ...)
Theoretically the task should be easy:
All local IP's targets (192.*) should go directly to eth0, the rest to the virtual device. As I get static "global" IP from the VPN, there will be no ambiguity and the routing won't be complicated.
There have to be 2 DNS servers: the local one and the one provided via vpn.
When not connected to VPN I have 3 routes (dest, router, iface):
- 192.*, *, eth0
- link-local, *, eth0
- default, natrouter.local, eth0
When connected to VPN I have 5 routes:
- asa-1.vpn., (ipofnatrouter), eth0
- 141., *, cscotun0
- 192.*, *, eth0
- link-local, *, eth0
- default, 211.vpn., cscotun0
thus it should be possible to access the LAN, but when pinging a local IP (even as root) I get
ping: sendmsg: Operation not permitted
How can I make this work with (X)Ubuntu 10.10 and the Cisco Anyconnect VPN?
Note that, since Michał Šrajer gave a workaround, I'm now searching for the intended solution (using config xml). Even when editing the /opt/cisco/vpn/profile/AnyConnect-TargetVPN-Default.xml
it gets overriden with each established VPN connection. I played around with <LocalLanAccess>
and <PPPExclusion>
as mentioned in the Documentation (PDF) without any mentionable success.
Overriding /etc/resolv.conf
with an appropriate config for lan and vpn lets vpanagentd consume all cpu. As the vpn client changes that file at start, it is neccessary to modify it "live". As a workaround I use a modified /etc/hosts
file.