[strongSwan] client machine cannot talk to local LAN if VPN tunnel over the Internet is connected

Zhuyj mounter625 at 163.com
Sat May 30 06:46:05 CEST 2015 

Check route, 0.0.0.0 is not good, a specific LAN is better


发自我的 iPhone

> 在 2015年5月30日,7:58,Alan Tu <8libra at gmail.com> 写道:
> 
> Hello, I'm using Strongswan 5.3.0 to successfully connect a Linux
> machine to a VPN over the Internet. However, after I bring up the VPN
> tunnel, my client Linux machine cannot talk to other machines on its
> own LAN, even though it can talk to machines everywhere else on the
> Internet, as well as to machines on the VPN. Can someone give me a
> hint as to the solution?
> 
> My client machine has IP address 172.31.59.36. The eth0 network
> interface has netmask /20. The pre-VPN routing table:
> 
> $ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         gateway_hostname. 0.0.0.0         UG    0      0        0 eth0
> 172.31.48.0     *               255.255.240.0   U     0      0        0 eth0
> 
> Post-VPN routing table:
> $ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         gateway_ip     0.0.0.0         UG    0      0        0 eth0
> 172.31.48.0     *               255.255.240.0   U     0      0        0 eth0
> 
> Here are some potentially relevant lines from my ipsec.conf file:
> conn vpn
>    type=tunnel
>    aggressive=yes
>    xauth=client
>    left=%any
>    leftid=keyid:...
>    leftsourceip=%modeconfig
>    right=[public IP of VPN gateway]
>    rightsubnet=0.0.0.0/0
> 
> After the Strongswan VPN connection is brought up, and the virtual IP
> is inserted into eth0, I cannot access other machines in the
> 172.31.x.x range. The VPN virtual IP addresses are in the 10.0.0.0/8
> range, so there is no apparent conflict. I think my root problem is
> something related to routing, but I don't know how to fix it. Because
> routing to local servers on the LAN no longer works, non-VPN DNS
> doesn't work either, which creates secondary problems.
> 
> I test strictly IP connectivity with ssh:
> $ ssh user at 172.31.63.211
> 
> If the VPN connection is up, this fails. If I bring down the
> connection ("ipsec down vpn"), SSH works.
> 
> Can someone please help?
> 
> Prior VPN solutions I've used set up a brand new interface, so I'm
> really stuck. I tried changing rightsubnet to 10.0.0.0/8 (the IP range
> of the VPN), but VPN connectivity fails altogether. Other ideas I have
> for a solution include inserting something into the routing table, or
> getting Strongswan to somehow create its own network interface, but
> I'm not sure. I'd appreciate some guidance towards a solution.
> 
> Alan
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list