0

I am on Windows 10, using Bluetooth > Connect Using > Direct Connect to establish a connection from laptop A to laptop B. I can then access its files via Samba or connect via SSH and RDP.

But if I also connect the laptop A to a VPN (via Cisco AnyConnect SMC), I can no longer ping the remote IP via bluetooth, despite the connection still being established. I have just found out I can't even ping my own IP on the Bluetooth interface.

Ethernet adapter Bluetooth Network Connection:
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   IPv4 Address. . . . . . . . . . . : 169.254.120.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

Pinging 169.254.120.2 with 32 bytes of data:
General failure.

Moreover, I have a record in hosts file to map the remote BT device to an alias

169.254.120.1     hp hpbt hph   # Bluetooth PAN Direct connect

C:\Users\Qwerty>ping hp
Ping request could not find host hp. Please check the name and try again.

C:\Users\Qwerty>ping 169.254.120.1

Pinging 169.254.120.1 with 32 bytes of data:
PING: transmit failed. General failure.

What's the matter and how to continue using both, the VPN and be connected via BT to the machine?

Qwerty
  • 105
  • 5
  • Fairly certain this is due to forced tunneling of the AnyConnect client. – Greg Askew Jan 23 '20 at 14:19
  • One thing of note is that you are using link-local addressing, which is _required_ to be randomly chosen, _cannot_ be subnetted beyond the `/16` as you are doing, and _cannot_ be routed. That is all explained in _[RFC 3927, Dynamic Configuration of IPv4 Link-Local Addresses](https://tools.ietf.org/html/rfc3927)_. That is addressing that is reserved by the IPv4 protocol itself, and you can see that in the _[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)_. – Ron Maupin Jan 23 '20 at 14:22
  • @RonMaupin Can you point me to a specific section which mentions the requirement of _randomness_? From what I understood from 20 minutes of scanning, it sounds like it is only the recommended mechanism for when there are no other options and manually configuring static IP addresses would be way too inconvenient. OR did you mean that I should instead use a _Private-Use_ range? – Qwerty Jan 23 '20 at 17:40
  • "_**2.1. Link-Local Address Selection** When a host wishes to configure an IPv4 Link-Local address, it selects an address using a pseudo-random number generator with a uniform distribution in the range from 169.254.1.0 to 169.254.254.255 inclusive._" You can use any of the Private address ranges. For IPv4, Link-Local addressing is really just a failsafe so the a host can get an address. For IPv6, it is a requirement for every interface, and it is used for many things. – Ron Maupin Jan 23 '20 at 17:44
  • 1
    Cannot be routed: "_An IPv4 packet whose source and/or destination address is in the 169.254/16 prefix MUST NOT be sent to any router for forwarding, and any network device receiving such a packet MUST NOT forward it, regardless of the TTL in the IPv4 header._" – Ron Maupin Jan 23 '20 at 17:56
  • 1
    Cannot be subnetted: "_The non-forwarding rule means that hosts may assume that all 169.254/16 destination addresses are "on-link" and directly reachable. The 169.254/16 address prefix MUST NOT be subnetted._" – Ron Maupin Jan 23 '20 at 17:57

1 Answers1

1

Aside from the fact that you are misusing IPv4 Link-Local addressing, your problem is that you want split-tunneling.

Cisco AnyConnect takes its orders from the firewall or router to which you are connecting. Many companies disallow split-tunneling because it is a security risk. When the firewall/router is configured to disallow split-tunneling, you lose the ability for local networking while you are connected to the tunnel. AnyConnect will enforce this by changing your host routing to prevent local network access, and it keeps looking for changes to the host and killing changes that would allow local network access.

This prevents security risks, such as your PC being compromised while it is connected to the company network. It also prevents you from connecting from home and going to work and using the tunnel to get access to the Internet around the firewall that has policies you may not like.

If you want split-tunneling, then you must convince your company network administrators to allow it, but that is unlikely.

Ron Maupin
  • 3,243
  • 1
  • 12
  • 20