I tried it. Such inverted ts is really huge, and in the charon logs I can see the kernel is adding policies like crazy. The client can wait a long time to connect and eventually timeout.
Looks like specifying the inverted ones directly won’t work. I can probably manually manipulate the routing table on the client to make it connect to these IPs directly, but that won’t work in a locked-down environment like iOS. I wonder if there is any other way? > On Oct 27, 2019, at 9:01 PM, Glen Huang <[email protected]> wrote: > > Hi, > > I wonder is it possible to directly specify that everything should be > tunneled other than 1.0.0.0/8? If not, does manually listing all IPs except > for 1.0.0.0/8 sound like the right approach?
