Which version of the client is this? Versions later than R65 get increasingly difficult to control the security policy. And The 7x series will block incoming traffic no matter what.
You can do this from the command line with
scc sp off
However, this requires the usersc.c file to be changed, so that it contains:
api_manual_slan_control=true
But this may not work of course. My solution to this is to install the bastid thing into a VM and access it via the console.
Well, I give it a shot:
I'm not sure of how to get only some traffic to go through I can solve your problem, but it would take a little changing of your setup. I'm assuming your Mac has two network interfaces, let's call them eth0 and eth1 :-)
we'll assume that eth0 is connected to your work network and has an internal (work network) address of 13.1.1.6, subnet 255.0.0.0.
we'll also assume that eth1 is connected to your WiFi X and has an address (eth1 <---> WiFi X network) of 192.168.1.10, subnet 255.0.0.0, to keep things simple.
I've setup VPN servers on BSD and Linux, but not Mac, however the concept will still be the same, you have options, I'll list one:
1)Ensure that the routing table on the Mac has an entry as follows:
$>sudo route add 13.0.0.0/8 eth0
What this will do is make sure any traffic coming in over the WiFi X or VPN interface that is destined for your company's network (the 13 network) will make it there. Without this, the Mac (which provides the bridge) really has no way to know how to route traffic between the two interfaces, and by default it will try to send it out of whatever interface is the default, which is WiFi X you stated.
I would undo what you did to the VPN routing table above and try this if its not (hopefully) already there.
If the above doesn't do it please update w/ your VPN Server's routing table and ip address list, or update w/ any fix you came across. Hope this points you in the right direction.
Best Answer
If your VPN gateway only advertises routes to specific networks, openconnect communicates this information to your vpnc-script by setting the CISCO_SPLIT_INC environment variables:
On Ubuntu, you can edit /etc/vpnc/vpnc-script and try overriding CISCO_SPLIT_INC to an empty string so that vpnc-script sets up tun0 as the system's default route:
The gateway has separate settings for its split tunnel includes and for routing. It is possible that the gateway's routing rules were only set up to allow traffic destined for the networks listed in the split tunnel setting, even if you add other routes (or a default route) on the client side. You'll have to try it and see.
On OpenConnect for Android, there is a per-VPN profile option to override the split tunnel setting. Set Split Tunnel Mode to "On - DNS uses VPN" and set Split Tunnel Networks to "0.0.0.0/0". This is equivalent to the vpnc-script change on Ubuntu.
If none of this works using your company's existing AnyConnect gateway, you might consider setting up a cheap VPS and running your own private ocserv installation.