[strongSwan] Connecting as client to VPN Server using psk-xauth, having trouble with local traffic being routed

Imran R houstontoca at hotmail.com
Thu May 23 08:26:59 CEST 2013

I am trying to connect to a vpn server using psk-xauth on my router along with strongswan 5.0.4. The server is a vpn server and I would like to route all my traffic except the local traffic. conn vpn	keyexchange=ikev1	rightauth=psk	leftauth=psk	leftauth2=xauth	xauth=server	xauth_identity=some user name	left=%defaultroute	leftsubnet=	right=vpn server address ipv4	auto=add		type=tunnel	installpolicy=yes	rightsubnet=	#leftsourceip=%config //i have disabled it since it didn't do me much good. i can get a virtual ip, but still the same problem.         leftfirewall=yes	conn pass	left=%defaultroute	right=vpn server address ipv4	leftsubnet=	rightsubnet=	type=passthrough	authby=never	auto=route	after starting ipsec, ip xfrm policy gives;src dst         dir fwd priority 1859 src dst         dir in priority 1859 src dst         dir out priority 1859 
Once I get my vpn up, i lose connection to my router. if i get rid of rightsubnet=, i can connect with the vpn, but with no internet routing of course. The priority of the conn pass is 1859. The priority of conn pass is 1827 (To look at this info, i had to disable rightsubnet= I am assuming lower priority means conn pass should keep local traffic local.
After this, i can not telnet back into the router. Which I am assuming that all my local traffic is being routed to vpn. I verified this using the methods below.
i can see that when i try to ping the router, the lights blink indicating receiving data on the lan and i also see lights blinking on the wan, indicating it is routing my local traffic to wan.
To further verify that indeed its a local traffic routing problem, i programmed the router button to bring the vpn down using "ipsec down vpn". And as soon as I disconnect the vpn connection by pressing the button, everything is back to normal. i.e I can connect to router using telent.
So my question is, how can I fix the problem so that the local traffic is not routed to vpn. Is there a problem in the bypass conn Pass ? I am not familiar with ip xfrm enough to say if the bypass rule is installing the correct policy. Please advise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130523/61d3bbb9/attachment.html>

More information about the Users mailing list