[strongSwan] client machine cannot talk to local LAN if VPN tunnel over the Internet is connected

Alan Tu 8libra at gmail.com
Sat May 30 08:00:54 CEST 2015 

Hmmm, I don't think this worked. The pre- and post-VPN routing tables
are actually identical:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.48.1     0.0.0.0         UG    0      0        0 eth0
172.31.48.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0

I then added a new route:
# route add -net 172.31.48.0 netmask 255.255.240.0 gw 172.31.48.1 dev eth0

New routing table:
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.48.1     0.0.0.0         UG    0      0        0 eth0
172.31.48.0     172.31.48.1     255.255.240.0   UG    0      0        0 eth0
172.31.48.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0

I still couldn't SSH to 172.31.63.211 while the VPN tunnel is up.

Alan


On 5/30/15, Zhuyj <mounter625 at 163.com> wrote:
> Check route, 0.0.0.0 is not good, a specific LAN is better
>
>
> 发自我的 iPhone
>
>> 在 2015年5月30日,7:58,Alan Tu <8libra at gmail.com> 写道:
>>
>> Hello, I'm using Strongswan 5.3.0 to successfully connect a Linux
>> machine to a VPN over the Internet. However, after I bring up the VPN
>> tunnel, my client Linux machine cannot talk to other machines on its
>> own LAN, even though it can talk to machines everywhere else on the
>> Internet, as well as to machines on the VPN. Can someone give me a
>> hint as to the solution?
>>
>> My client machine has IP address 172.31.59.36. The eth0 network
>> interface has netmask /20. The pre-VPN routing table:
>>
>> $ route
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> default         gateway_hostname. 0.0.0.0         UG    0      0        0
>> eth0
>> 172.31.48.0     *               255.255.240.0   U     0      0        0
>> eth0
>>
>> Post-VPN routing table:
>> $ route
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> default         gateway_ip     0.0.0.0         UG    0      0        0
>> eth0
>> 172.31.48.0     *               255.255.240.0   U     0      0        0
>> eth0
>>
>> Here are some potentially relevant lines from my ipsec.conf file:
>> conn vpn
>>    type=tunnel
>>    aggressive=yes
>>    xauth=client
>>    left=%any
>>    leftid=keyid:...
>>    leftsourceip=%modeconfig
>>    right=[public IP of VPN gateway]
>>    rightsubnet=0.0.0.0/0
>>
>> After the Strongswan VPN connection is brought up, and the virtual IP
>> is inserted into eth0, I cannot access other machines in the
>> 172.31.x.x range. The VPN virtual IP addresses are in the 10.0.0.0/8
>> range, so there is no apparent conflict. I think my root problem is
>> something related to routing, but I don't know how to fix it. Because
>> routing to local servers on the LAN no longer works, non-VPN DNS
>> doesn't work either, which creates secondary problems.
>>
>> I test strictly IP connectivity with ssh:
>> $ ssh user at 172.31.63.211
>>
>> If the VPN connection is up, this fails. If I bring down the
>> connection ("ipsec down vpn"), SSH works.
>>
>> Can someone please help?
>>
>> Prior VPN solutions I've used set up a brand new interface, so I'm
>> really stuck. I tried changing rightsubnet to 10.0.0.0/8 (the IP range
>> of the VPN), but VPN connectivity fails altogether. Other ideas I have
>> for a solution include inserting something into the routing table, or
>> getting Strongswan to somehow create its own network interface, but
>> I'm not sure. I'd appreciate some guidance towards a solution.
>>
>> Alan
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>

More information about the Users mailing list