<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I am trying to connect to a vpn server using psk-xauth on my router along with strongswan 5.0.4. The server is a vpn server and I would like to route all my traffic except the local traffic. <div style="line-height: 21px;"><br style="color: rgb(68, 68, 68); font-size: 15px;"><div style="color: rgb(68, 68, 68); font-size: 15px;"><div>conn vpn</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>keyexchange=ikev1</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>rightauth=psk</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>leftauth=psk</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>leftauth2=xauth</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>xauth=server</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>xauth_identity=some user name</div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">left=%defaultroute</span></div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>leftsubnet=192.168.1.0/24</div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">right=vpn server address ipv4</span></div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">auto=add</span><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span></div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">type=tunnel</span></div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">installpolicy=yes</span></div><div><span class="ecxApple-tab-span" style="line-height: 22px; font-size: 12pt; white-space: pre;"> </span><span style="line-height: 22px; font-size: 12pt;">rightsubnet=0.0.0.0/0</span></div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>#leftsourceip=%config //i have disabled it since it didn't do me much good. i can get a virtual ip, but still the same problem. </div><div><span style="line-height: 22px; font-size: 12pt;"> leftfirewall=yes</span></div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span></div><div><span style="line-height: 22px; font-size: 12pt;">conn pass</span></div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>left=%defaultroute</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>right=vpn server address ipv4</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>leftsubnet=192.168.1.0/24</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>rightsubnet=192.168.1.0/24</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>type=passthrough</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>authby=never</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span>auto=route</div><div><span class="ecxApple-tab-span" style="white-space: pre;"> </span></div></div><div style="color: rgb(68, 68, 68); font-size: 15px;">after starting ipsec, ip xfrm policy gives;</div><div style="color: rgb(68, 68, 68); font-size: 15px;"><div>src 192.168.1.0/24 dst 192.168.1.0/24 </div><div> dir fwd priority 1859 </div><div>src 192.168.1.0/24 dst 192.168.1.0/24 </div><div> dir in priority 1859 </div><div>src 192.168.1.0/24 dst 192.168.1.0/24 </div><div> dir out priority 1859 </div></div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;">Once I get my vpn up, i lose connection to my router. if i get rid of rightsubnet=0.0.0.0/0, i can connect with the vpn, but with no internet routing of course. The priority of the conn pass is 1859. The priority of conn pass is 1827 (To look at this info, i had to disable rightsubnet=0.0.0.0/0). I am assuming lower priority means conn pass should keep local traffic local.</div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;"><span style="font-size: 12pt; line-height: 22px;">After this, i can not telnet back into the router. Which I am assuming that all my local traffic is being routed to vpn. I verified this using the methods below.</span></div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;">i can see that when i try to ping the router, the lights blink indicating receiving data on the lan and i also see lights blinking on the wan, indicating it is routing my local traffic to wan.</div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;">To further verify that indeed its a local traffic routing problem, i programmed the router button to bring the vpn down using "ipsec down vpn". And as soon as I disconnect the vpn connection by pressing the button, everything is back to normal. i.e I can connect to router using telent.</div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;">So my question is, how can I fix the problem so that the local traffic is not routed to vpn. Is there a problem in the bypass conn Pass ? I am not familiar with ip xfrm enough to say if the bypass rule is installing the correct policy. Please advise.</div><div style="color: rgb(68, 68, 68); font-size: 15px;"><br></div><div style="color: rgb(68, 68, 68); font-size: 15px;">Thanks</div><div style="color: rgb(68, 68, 68); font-size: 15px;">Ron</div><div><br></div></div> </div></body>
</html>