[strongSwan] Prevent traffic outside VPN
Michael Schwartzkopff
ms at sys4.de
Fri Apr 5 10:28:01 CEST 2019
Am 29.03.19 um 16:54 schrieb Tony Phillips:
> When my tunnel comes up, locations at the destination of the VPN are reachable as desired.
>
> However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel). Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address.
>
> I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client.
>
> Here's my ipsec.conf file:
>
> config setup
> charondebug=1
>
> conn %default
> ikelifetime=20m
> reauth=yes
> rekey=yes
> keylife=10m
> rekeymargin=3m
> rekeyfuzz=0%
> keyingtries=1
> type=tunnel
>
> conn test
> keyexchange=ikev1
> ikelifetime=1440m
> keylife=60m
> aggressive=yes
> ike=aes-sha1-modp1024
> esp=aes-sha1
> xauth=client
> left=10.181.43.20
> leftid=(omitted)
> leftsourceip=%modeconfig
> leftauth=psk
> rightauth=psk
> leftauth2=xauth
> right=10.248.1.2
> rightsubnet=0.0.0.0/
> xauth_identity=test
> auto=add
>
> From my understanding of the documentation, what I'm asking for SHOULD be the default behavior. But I'm obviously missing something.
>
> The address I'm given by the VPN server is in the 10.248.60/19 range.
>
>
>
Set up a local firewall. Trigger it with the setup of the tunnel.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190405/92be5b3b/attachment.sig>
More information about the Users
mailing list