[strongSwan] Prevent traffic outside VPN
ms at sys4.de
Fri Apr 5 10:28:01 CEST 2019
Am 29.03.19 um 16:54 schrieb Tony Phillips:
> When my tunnel comes up, locations at the destination of the VPN are reachable as desired.
> However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel). Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address.
> I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client.
> Here's my ipsec.conf file:
> config setup
> conn %default
> conn test
> From my understanding of the documentation, what I'm asking for SHOULD be the default behavior. But I'm obviously missing something.
> The address I'm given by the VPN server is in the 10.248.60/19 range.
Set up a local firewall. Trigger it with the setup of the tunnel.
Mit freundlichen Grüßen,
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 213 bytes
Desc: OpenPGP digital signature
More information about the Users