When my tunnel comes up, locations at the destination of the VPN are reachable as desired.
However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel). Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address. I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client. Here's my ipsec.conf file: config setup charondebug=1 conn %default ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel conn test keyexchange=ikev1 ikelifetime=1440m keylife=60m aggressive=yes ike=aes-sha1-modp1024 esp=aes-sha1 xauth=client left=10.181.43.20 leftid=(omitted) leftsourceip=%modeconfig leftauth=psk rightauth=psk leftauth2=xauth right=10.248.1.2 rightsubnet=0.0.0.0/ xauth_identity=test auto=add From my understanding of the documentation, what I'm asking for SHOULD be the default behavior. But I'm obviously missing something. The address I'm given by the VPN server is in the 10.248.60/19 range.