05-20-2013 02:42 AM
Sure. It's not that exciting:
# Z10 VPN client doesn't work with split-tunnel
05-20-2013 02:46 AM
The VPN status page shows exactly what you'd expect:
Profile Name: x
Network Interface: tiw_sta0
Server Address: x
Private IPs: 10.0.3.4/0.0.0.0
Primary DNS: 22.214.171.124
IKE Lifetime: 86400
IPSec Lifetime: 10800
Private Server Address: 10.0.3.4
Private Network Interface: ipsec0
05-20-2013 08:51 AM
Have you run a packet trace on the other end (e.g. tcpdump or similar) and verified that the packets intended for the "remote end" are NOT coming through?
I'll play with this in the coming week and see what I come up with.
05-20-2013 04:02 PM
Yes: I've done tcpdump on the vpn endpoint and have verified the packets are not coming in.
At home I don't have a box on my router I can tcpdump from so I can't see them leaving.
05-25-2013 04:22 PM - edited 05-25-2013 04:28 PM
Edit: Did some more work on this.
Ok, this is what it looks like.
If you route anything down the tunnel anything else that does not match the tunneled routes gets black-holed. That is, the phone's implementation will not allow you to route 10.0.0.0/8 down the tunnel but everything else down the default, non-tunneled route.
05-26-2013 10:03 AM
That doesn't sound very useful. Thanks for taking a look, though.
While you have a good testrig, could you check what happens if you try to make the VPN do IPv6-only?
If I could leave the IPv4 on the internet I could probably manage to proxy the IPv6 on my office network just by tunneling 4in6.
05-26-2013 12:52 PM - edited 05-26-2013 12:55 PM
I do not have an IPv6 setup running here at present; if I get some time to set it up I can do that, but as it stands right now my internal stuff is all still IPv4.
I suspect what's going on here is that the routing table for the VPN, when active, supersedes the base routing table instead of being merged with it. As a consequence if there is no default route offered in the VPN setup you're screwed. The bad news is that since the VPN table supersedes the underlying one there's no way to reasonably fix it either.
I can think of a few reasons why the phone would be programmed this way, with many of them having to do with carrier-required things to work as a phone (e.g. MMS messages which otherwise could not be sent or received when the VPN was active.)