https://unix.stackexchange.com/questions/576983/op...

I believe this is because of added validation to ipconnect2 (which provides the ip utility) in version 5.x (Not sure which version specifically)

vpnc-script, which is used by openconnect, builds CIDR IPv4 addresses and sends them to the ip utility for routing. ip at version 4.x ignores the netmask length information, but ip at version 5.x regards it as invalid.

I used the downgrade AUR package to bring my ipconnect2 to version 4.20, which seems to work.

The script /etc/vpnc/vpnc-script uses the now unsupported ip get route $NETWORK/$NETMASKLEN syntax. I fixed that by changing the line 261 to

$IPROUTE route add `$IPROUTE route get "$NETWORK" | fix_ip_get_output | sed -e "s/^$NETWORK\$/$NETWORK\/$NETMASKLEN/"`