[strongSwan] routing all traffic through tunnel without local one

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Mon Mar 8 10:02:48 CET 2010

Matthias Dahl wrote:
>> To tunnel all internet traffic, you'll need a rightsubnet.
>> This however, includes your local network in the tunnel too.
> One could consider this a bug. Most people certainly never will want their 
> local traffic routed outside of their local network. The more I think about 
> it, this could even have security implications. The default should be to have 
> the local lan by-passed unless the user explicitely states otherwise.

One might also argue that the current behavior is more secure: Imagine a 
road warrior being in a hotel room, connecting her laptop to the hotel's 
LAN in order to get Internet access. She probably does not care about 
other hosts on the local subnet. She just wants to have access to the 
corporate network via IPsec.

Now, imagine that the hotel's LAN uses the same IP address space as some 
resource on the corporate network. The traffic would then be sent to the 
incorrect machine on the local subnet of the hotel that happens to have 
the same IP address, instead of the machine on the corporate network.


More information about the Users mailing list