Hmmm, I don't think this worked. The pre- and post-VPN routing tables are actually identical:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.31.48.1 0.0.0.0 UG 0 0 0 eth0 172.31.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 I then added a new route: # route add -net 172.31.48.0 netmask 255.255.240.0 gw 172.31.48.1 dev eth0 New routing table: $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.31.48.1 0.0.0.0 UG 0 0 0 eth0 172.31.48.0 172.31.48.1 255.255.240.0 UG 0 0 0 eth0 172.31.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 I still couldn't SSH to 172.31.63.211 while the VPN tunnel is up. Alan On 5/30/15, Zhuyj <[email protected]> wrote: > Check route, 0.0.0.0 is not good, a specific LAN is better > > > 发自我的 iPhone > >> 在 2015年5月30日,7:58,Alan Tu <[email protected]> 写道: >> >> Hello, I'm using Strongswan 5.3.0 to successfully connect a Linux >> machine to a VPN over the Internet. However, after I bring up the VPN >> tunnel, my client Linux machine cannot talk to other machines on its >> own LAN, even though it can talk to machines everywhere else on the >> Internet, as well as to machines on the VPN. Can someone give me a >> hint as to the solution? >> >> My client machine has IP address 172.31.59.36. The eth0 network >> interface has netmask /20. The pre-VPN routing table: >> >> $ route >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric Ref Use >> Iface >> default gateway_hostname. 0.0.0.0 UG 0 0 0 >> eth0 >> 172.31.48.0 * 255.255.240.0 U 0 0 0 >> eth0 >> >> Post-VPN routing table: >> $ route >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric Ref Use >> Iface >> default gateway_ip 0.0.0.0 UG 0 0 0 >> eth0 >> 172.31.48.0 * 255.255.240.0 U 0 0 0 >> eth0 >> >> Here are some potentially relevant lines from my ipsec.conf file: >> conn vpn >> type=tunnel >> aggressive=yes >> xauth=client >> left=%any >> leftid=keyid:... >> leftsourceip=%modeconfig >> right=[public IP of VPN gateway] >> rightsubnet=0.0.0.0/0 >> >> After the Strongswan VPN connection is brought up, and the virtual IP >> is inserted into eth0, I cannot access other machines in the >> 172.31.x.x range. The VPN virtual IP addresses are in the 10.0.0.0/8 >> range, so there is no apparent conflict. I think my root problem is >> something related to routing, but I don't know how to fix it. Because >> routing to local servers on the LAN no longer works, non-VPN DNS >> doesn't work either, which creates secondary problems. >> >> I test strictly IP connectivity with ssh: >> $ ssh [email protected] >> >> If the VPN connection is up, this fails. If I bring down the >> connection ("ipsec down vpn"), SSH works. >> >> Can someone please help? >> >> Prior VPN solutions I've used set up a brand new interface, so I'm >> really stuck. I tried changing rightsubnet to 10.0.0.0/8 (the IP range >> of the VPN), but VPN connectivity fails altogether. Other ideas I have >> for a solution include inserting something into the routing table, or >> getting Strongswan to somehow create its own network interface, but >> I'm not sure. I'd appreciate some guidance towards a solution. >> >> Alan >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
