Auto created routes to NS

Since version 9.02 openconnect exports include-split routes for /0.0.0.0 to the env (CISCO_SPLIT_INC). That one was introduced in commit openconnect@faa406be.

If CISCO_SPLIT_INC is set, vpnc-script automatically create routes to the NS. see vpnc-script line 647 and vpnc-script line 1028

• Does it really make sense when an default route (0.0.0.0/0.0.0.0) is already announced, that explicit routes to the NS are added?

• The following question raised to me, wow can an NS used hat is not located inside an network behind the tunnel.

Assumption:

NS annouced by the VPN: 123.123.123.123 - Assumption NS network should not be reached over the tunnel
split-include (0.0.0.0/0.0.0.0)

The routing table look like afterwards:

default via TUN          
123.123.123.123 via TUN  [That's the automatically created route to the NS...]

Is there any way, to deal with such scenarios?

Not quite sure, if it makes sense to address that on openconnect level. But, the exporting of the split-include looks quite fine to me.