[strongSwan] Prevent traffic outside VPN

Tony Phillips tony at tonysown.net
Fri Mar 29 16:54:11 CET 2019


When my tunnel comes up, locations at the destination of the VPN are reachable as desired.

However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel).   Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address.

I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client.

Here's my ipsec.conf file:

config setup
charondebug=1

conn %default
ikelifetime=20m
reauth=yes
rekey=yes
keylife=10m
rekeymargin=3m
rekeyfuzz=0%
keyingtries=1
type=tunnel

conn test
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
aggressive=yes
ike=aes-sha1-modp1024
esp=aes-sha1
xauth=client
left=10.181.43.20
leftid=(omitted)
leftsourceip=%modeconfig
leftauth=psk
rightauth=psk
leftauth2=xauth
right=10.248.1.2
rightsubnet=0.0.0.0/
xauth_identity=test
auto=add

From my understanding of the documentation, what I'm asking for SHOULD be the default behavior.  But I'm obviously missing something.

The address I'm given by the VPN server is in the 10.248.60/19 range.





More information about the Users mailing list