[strongSwan] client machine cannot talk to local LAN if VPN tunnel over the Internet is connected

Alan Tu 8libra at gmail.com
Sat May 30 01:58:11 CEST 2015 

Hello, I'm using Strongswan 5.3.0 to successfully connect a Linux
machine to a VPN over the Internet. However, after I bring up the VPN
tunnel, my client Linux machine cannot talk to other machines on its
own LAN, even though it can talk to machines everywhere else on the
Internet, as well as to machines on the VPN. Can someone give me a
hint as to the solution?

My client machine has IP address 172.31.59.36. The eth0 network
interface has netmask /20. The pre-VPN routing table:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway_hostname. 0.0.0.0         UG    0      0        0 eth0
172.31.48.0     *               255.255.240.0   U     0      0        0 eth0

Post-VPN routing table:
$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway_ip     0.0.0.0         UG    0      0        0 eth0
172.31.48.0     *               255.255.240.0   U     0      0        0 eth0

Here are some potentially relevant lines from my ipsec.conf file:
conn vpn
    type=tunnel
    aggressive=yes
    xauth=client
    left=%any
    leftid=keyid:...
    leftsourceip=%modeconfig
    right=[public IP of VPN gateway]
    rightsubnet=0.0.0.0/0

After the Strongswan VPN connection is brought up, and the virtual IP
is inserted into eth0, I cannot access other machines in the
172.31.x.x range. The VPN virtual IP addresses are in the 10.0.0.0/8
range, so there is no apparent conflict. I think my root problem is
something related to routing, but I don't know how to fix it. Because
routing to local servers on the LAN no longer works, non-VPN DNS
doesn't work either, which creates secondary problems.

I test strictly IP connectivity with ssh:
$ ssh user at 172.31.63.211

If the VPN connection is up, this fails. If I bring down the
connection ("ipsec down vpn"), SSH works.

Can someone please help?

Prior VPN solutions I've used set up a brand new interface, so I'm
really stuck. I tried changing rightsubnet to 10.0.0.0/8 (the IP range
of the VPN), but VPN connectivity fails altogether. Other ideas I have
for a solution include inserting something into the routing table, or
getting Strongswan to somehow create its own network interface, but
I'm not sure. I'd appreciate some guidance towards a solution.

Alan

More information about the Users mailing list