Check route, 0.0.0.0 is not good, a specific LAN is better
发自我的 iPhone > 在 2015年5月30日,7:58,Alan Tu <[email protected]> 写道: > > Hello, I'm using Strongswan 5.3.0 to successfully connect a Linux > machine to a VPN over the Internet. However, after I bring up the VPN > tunnel, my client Linux machine cannot talk to other machines on its > own LAN, even though it can talk to machines everywhere else on the > Internet, as well as to machines on the VPN. Can someone give me a > hint as to the solution? > > My client machine has IP address 172.31.59.36. The eth0 network > interface has netmask /20. The pre-VPN routing table: > > $ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default gateway_hostname. 0.0.0.0 UG 0 0 0 eth0 > 172.31.48.0 * 255.255.240.0 U 0 0 0 eth0 > > Post-VPN routing table: > $ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default gateway_ip 0.0.0.0 UG 0 0 0 eth0 > 172.31.48.0 * 255.255.240.0 U 0 0 0 eth0 > > Here are some potentially relevant lines from my ipsec.conf file: > conn vpn > type=tunnel > aggressive=yes > xauth=client > left=%any > leftid=keyid:... > leftsourceip=%modeconfig > right=[public IP of VPN gateway] > rightsubnet=0.0.0.0/0 > > After the Strongswan VPN connection is brought up, and the virtual IP > is inserted into eth0, I cannot access other machines in the > 172.31.x.x range. The VPN virtual IP addresses are in the 10.0.0.0/8 > range, so there is no apparent conflict. I think my root problem is > something related to routing, but I don't know how to fix it. Because > routing to local servers on the LAN no longer works, non-VPN DNS > doesn't work either, which creates secondary problems. > > I test strictly IP connectivity with ssh: > $ ssh [email protected] > > If the VPN connection is up, this fails. If I bring down the > connection ("ipsec down vpn"), SSH works. > > Can someone please help? > > Prior VPN solutions I've used set up a brand new interface, so I'm > really stuck. I tried changing rightsubnet to 10.0.0.0/8 (the IP range > of the VPN), but VPN connectivity fails altogether. Other ideas I have > for a solution include inserting something into the routing table, or > getting Strongswan to somehow create its own network interface, but > I'm not sure. I'd appreciate some guidance towards a solution. > > Alan > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
