Linux PulseSecure blocks virbr0 route disabling ho...

okanarbik · ‎07-12-2020

When using PulseSecure to connect to VPN on Linux an unnecessary network route is being created. This route breaks host<->guest communication for KVM/Libvirt virtual machines.

Relevant route before connecting with PulseSecure (route -n command output)

192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

after connecting host<->guest traffic is routed via tun0 interface, bypassing virbr0:

192.168.122.0 10.24.1.49 255.255.255.0 UG 1 0 0 tun0
192.168.122.0 0.0.0.0 255.255.255.0 U 10 0 0 virbr0

As a workaround virbr0 priority can be elevated above tun0:

ifmetric virbr0 1

The result will be:

192.168.122.0 0.0.0.0 255.255.255.0 U 1 0 0 virbr0
192.168.122.0 10.24.1.49 255.255.255.0 UG 1 0 0 tun0

Removing incorrect route does not work because PulseSecure is immediately adding it back.

route del -net 192.168.122.0 gw 10.24.1.49 netmask 255.255.255.0 dev tun0

[email protected] · ‎08-01-2020

Use "Endpoint routes" as a route precedence instead of Tunnel Routes. You can find this configuration under users >> user roles >> role >> VPN tunneling >> route precedence.

Pulse Connect Secure Certified Expert

okanarbik · ‎08-04-2020

There are no such options in Pulse Secure 9.1R5(151) client I'm using - only "File" and "About" menus are available.

[email protected] · ‎08-04-2020

Route precedence needs to be changed on the VPN server side not on the client side.

Pulse Connect Secure Certified Expert

Linux PulseSecure blocks virbr0 route disabling host communication with vm guests

Linux PulseSecure blocks virbr0 route disabling host communication with vm guests

Re: Linux PulseSecure blocks virbr0 route disabling host communication with vm guests

Re: Linux PulseSecure blocks virbr0 route disabling host communication with vm guests

Re: Linux PulseSecure blocks virbr0 route disabling host communication with vm guests