[strongSwan] Connecting as client to VPN Server using psk-xauth, having trouble with local traffic being routed
houstontoca at hotmail.com
Thu May 23 08:26:59 CEST 2013
I am trying to connect to a vpn server using psk-xauth on my router along with strongswan 5.0.4. The server is a vpn server and I would like to route all my traffic except the local traffic. conn vpn keyexchange=ikev1 rightauth=psk leftauth=psk leftauth2=xauth xauth=server xauth_identity=some user name left=%defaultroute leftsubnet=192.168.1.0/24 right=vpn server address ipv4 auto=add type=tunnel installpolicy=yes rightsubnet=0.0.0.0/0 #leftsourceip=%config //i have disabled it since it didn't do me much good. i can get a virtual ip, but still the same problem. leftfirewall=yes conn pass left=%defaultroute right=vpn server address ipv4 leftsubnet=192.168.1.0/24 rightsubnet=192.168.1.0/24 type=passthrough authby=never auto=route after starting ipsec, ip xfrm policy gives;src 192.168.1.0/24 dst 192.168.1.0/24 dir fwd priority 1859 src 192.168.1.0/24 dst 192.168.1.0/24 dir in priority 1859 src 192.168.1.0/24 dst 192.168.1.0/24 dir out priority 1859
Once I get my vpn up, i lose connection to my router. if i get rid of rightsubnet=0.0.0.0/0, i can connect with the vpn, but with no internet routing of course. The priority of the conn pass is 1859. The priority of conn pass is 1827 (To look at this info, i had to disable rightsubnet=0.0.0.0/0). I am assuming lower priority means conn pass should keep local traffic local.
After this, i can not telnet back into the router. Which I am assuming that all my local traffic is being routed to vpn. I verified this using the methods below.
i can see that when i try to ping the router, the lights blink indicating receiving data on the lan and i also see lights blinking on the wan, indicating it is routing my local traffic to wan.
To further verify that indeed its a local traffic routing problem, i programmed the router button to bring the vpn down using "ipsec down vpn". And as soon as I disconnect the vpn connection by pressing the button, everything is back to normal. i.e I can connect to router using telent.
So my question is, how can I fix the problem so that the local traffic is not routed to vpn. Is there a problem in the bypass conn Pass ? I am not familiar with ip xfrm enough to say if the bypass rule is installing the correct policy. Please advise.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users