Changing metric for routes inserted by AnyConnect Secure Mobility Client

Temmokan · ‎12-18-2018

OS: Ubuntu 18.04.1 (64-bit)
Client version: 3.1.14018

Setup: a connection is established; the remote uses a number of private subnets, including the whole 10.0.0.0/8 range.

Problem: we use a subset of 10.0.0.0/8 in our intranet (say, 10.10.10.0/24). With the default routing created after connection to VPN, our intranet hosts become unreachable.

Issue: the routes inserted by AnyConnect client
- have all metric of 0
- cannot be removed

I tried removing and re-inserting the route for 10.0.0.0/8, with higher metric, in order to add a route for our subnet, to eb able to access it.

However, AnyConnect client doesn't allow removing its routes, and I see no obvious means to raise the metric for them.

Is it possible to either remove/insert the established AnyConnect routes, or somehow configure the AnyConnect client to use higher metric values?

Karsten Iwen · ‎12-23-2018

I'm not sure how to handle it with AnyConnect. But you could also evaluate OpenConnect as an alternative: https://www.infradead.org/openconnect/

It uses the vpnc script for all routing and there you should be able to customise everything for your needs.

And AnyConnect 3.1 is EOL anyway ...

Temmokan · ‎12-24-2018

There's a given setup using the mentioned AnyConnect and I can't change that.

There's a solution posted on the Net, where a "hack" using the below call

int _ZN27CInterfaceRouteMonitorLinux20routeCallbackHandlerEv()

is utilized. AnyConnect prevents changes to routing table; the above negates that and allows removing a routing entry, adding it back with higher metric value, which allows inserting another entry, with lesser metric value.

However, it's still a hack. If there's no official workaround/configuration, I'll have to use the above.