diff -Nru openconnect-8.20/debian/changelog openconnect-8.20/debian/changelog
--- openconnect-8.20/debian/changelog	2022-02-21 00:42:45.000000000 +0000
+++ openconnect-8.20/debian/changelog	2022-06-09 08:05:46.000000000 +0000
@@ -1,3 +1,10 @@
+openconnect (8.20-1ubuntu1) jammy; urgency=medium
+
+  * Cherry-pick revert from upstream for a patch that broke compatibility
+    with network-manager-openconnect (lp: #1969734)
+
+ -- Ernst Sjöstrand <ernstp@gmail.com>  Thu, 09 Jun 2022 10:05:46 +0200
+
 openconnect (8.20-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru openconnect-8.20/debian/patches/0001-Revert-GP-Fix-the-issue-of-a-0.0.0.0-0-split-include.patch openconnect-8.20/debian/patches/0001-Revert-GP-Fix-the-issue-of-a-0.0.0.0-0-split-include.patch
--- openconnect-8.20/debian/patches/0001-Revert-GP-Fix-the-issue-of-a-0.0.0.0-0-split-include.patch	1970-01-01 00:00:00.000000000 +0000
+++ openconnect-8.20/debian/patches/0001-Revert-GP-Fix-the-issue-of-a-0.0.0.0-0-split-include.patch	2022-06-09 08:05:06.000000000 +0000
@@ -0,0 +1,112 @@
+From 08a1b8be6f95a381d3613895550492903cb4ef95 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Mon, 25 Apr 2022 10:25:20 +0100
+Subject: [PATCH] Revert "GP: Fix the issue of a 0.0.0.0/0 "split"-include
+ route by swapping the "split" route with the default netmask."
+
+This reverts commit 99ae55aec1408a2905df72394dab99cb6fb41aed, which causes
+regressions with existing NetworkManager-openconnect releases.
+
+We can do it in NetworkManager-openconnect with
+https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/36
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+---
+ gpst.c | 54 +++++-------------------------------------------------
+ 1 file changed, 5 insertions(+), 49 deletions(-)
+
+diff --git a/gpst.c b/gpst.c
+index 25ba370f..bf6bb8fb 100644
+--- a/gpst.c
++++ b/gpst.c
+@@ -342,11 +342,9 @@ out:
+ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data)
+ {
+ 	xmlNode *member;
+-	char *s = NULL, *deferred_netmask = NULL;
+-	struct oc_split_include *inc;
+-	int split_route_is_default_route = 0;
+ 	int n_dns = 0, esp_keys = 0, esp_v4 = 0, esp_v6 = 0;
+ 	int ret = 0;
++	char *s = NULL;
+ 	int ii;
+ 
+ 	uint32_t esp_magic = 0;
+@@ -370,11 +368,8 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
+ 		else if (!xmlnode_get_val(xml_node, "ip-address-v6", &s)) {
+ 			if (!vpninfo->disable_ipv6)
+ 				new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s);
+-		} else if (!xmlnode_get_val(xml_node, "netmask", &deferred_netmask)) {
+-			/* XX: GlobalProtect servers always (almost always?) send 255.255.255.255 as their netmask
+-			 * (a /32 host route), and if they want to include an actual default route (0.0.0.0/0)
+-			 * they instead put it under <access-routes/>. We defer saving the netmask until later.
+-			 */
++		} else if (!xmlnode_get_val(xml_node, "netmask", &s)) {
++			new_ip_info.netmask = add_option_steal(&new_opts, "netmask", &s);
+ 		} else if (!xmlnode_get_val(xml_node, "mtu", &s))
+ 			new_ip_info.mtu = atoi(s);
+ 		else if (!xmlnode_get_val(xml_node, "lifetime", &s))
+@@ -455,22 +450,12 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
+ 			   xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) {
+ 			for (member = xml_node->children; member; member=member->next) {
+ 				if (!xmlnode_get_val(member, "member", &s)) {
+-					int is_inc = (xml_node->name[0] == 'a');
+-
+-					/* XX: if this is a default Legacy IP route jammed into the split-include
+-					 * routes, just mark it for now.
+-					 */
+-					if (is_inc && !strcmp(s, "0.0.0.0/0")) {
+-						split_route_is_default_route = 1;
+-						continue;
+-					}
+-
+-					inc = malloc(sizeof(*inc));
++					struct oc_split_include *inc = malloc(sizeof(*inc));
+ 					if (!inc) {
+ 						ret = -ENOMEM;
+ 						goto err;
+ 					}
+-					if (is_inc) {
++					if (xmlnode_is_named(xml_node, "access-routes")) {
+ 						inc->route = add_option_steal(&new_opts, "split-include", &s);
+ 						inc->next = new_ip_info.split_includes;
+ 						new_ip_info.split_includes = inc;
+@@ -530,35 +515,6 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
+ 		}
+ 	}
+ 
+-	/* Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask. */
+-	if (split_route_is_default_route) {
+-		char *original_netmask = deferred_netmask;
+-
+-		if ((deferred_netmask = strdup("0.0.0.0")) == NULL)
+-			return -ENOMEM;
+-
+-		/* If the original netmask wasn't /32, add it as a split route */
+-		if (new_ip_info.addr && original_netmask) {
+-			uint32_t nm_bits = inet_addr(original_netmask);
+-			if (nm_bits != 0xffffffff) { /* 255.255.255.255 */
+-				struct in_addr net_addr;
+-				inet_aton(new_ip_info.addr, &net_addr);
+-				net_addr.s_addr &= nm_bits; /* clear host bits */
+-
+-				char abuf[INET_ADDRSTRLEN];
+-				if ((inc = malloc(sizeof(*inc))) == NULL ||
+-				    asprintf(&s, "%s/%s", inet_ntop(AF_INET, &net_addr, abuf, sizeof(abuf)), original_netmask) <= 0)
+-					return -ENOMEM;
+-				inc->route = add_option_steal(&new_opts, "split-include", &s);
+-				inc->next = new_ip_info.split_includes;
+-				new_ip_info.split_includes = inc;
+-			}
+-		}
+-		free(original_netmask);
+-	}
+-	if (deferred_netmask)
+-		new_ip_info.netmask = add_option_steal(&new_opts, "netmask", &deferred_netmask);
+-
+ 	/* Set 10-second DPD/keepalive (same as Windows client) unless
+ 	 * overridden with --force-dpd */
+ 	if (!vpninfo->ssl_times.dpd)
+-- 
+2.36.1
+
diff -Nru openconnect-8.20/debian/patches/series openconnect-8.20/debian/patches/series
--- openconnect-8.20/debian/patches/series	2022-02-20 23:00:08.000000000 +0000
+++ openconnect-8.20/debian/patches/series	2022-06-09 08:02:36.000000000 +0000
@@ -1 +1,2 @@
 0001-support-AnyConnect-single-sign-on-v2.patch
+0001-Revert-GP-Fix-the-issue-of-a-0.0.0.0-0-split-include.patch