3

I have successfully established an IPSec tunnel between my local Linux host and a remote VPN gateway. I am using virtual IPs assign by the gateway because being a roadwarrior my local LAN subnet is not fixed.

When it is up all traffic goes via the tunnel including internet traffic. What I would like is all traffic except for the local subnet to route throught the tunnel. I have read and re-read the Strongswan documentation but I cannot work out how to do this.

What do I need to do?

Local ipsec.conf

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=secret


conn VPN
        left=%any
        leftsourceip=%config
        leftid=@robin.my.net
        leftfirewall=yes
        right=52.n.n.n
        rightsubnet=0.0.0.0/0
        rightid=@vpn.my.net
        auto=add

Server ipsec.conf

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2


conn AWSVPN
    left=%any
    leftsubnet=172.31.38.36/32
    leftid=@vpn.my.net
    leftfirewall=yes
    authby=secret
    right=%any
    rightsourceip=10.3.0.0/28
    auto=add

Gateway

IP: 172.31.38.36 Subnet: 172.31.32.0/20

My machine

IP: 192.168.1.150 (can change) Subnet: 192.168.1.0/24 (can change) Virtual IP: 10.3.0.1 (assigned by Strongswan gateway)

EDIT:

I have managed to exclude the local network by adding this but the subnet is hardcoded:

conn local-net
    leftsubnet=192.168.1.0/24
    rightsubnet=192.168.1.0/24
    authby=never
    type=pass
    auto=route
Robin Elvin
  • 141
  • 1
  • 1
  • 5
  • 1
    Yes, adding a passthrough policy is the best option for this. If you don't want to hardcode it you could probably write a script (e.g. triggered by some NetworkManager events) that writes a config snippet with the local-net conn section (that you then include in `ipsec.conf`) and reloads the config via `ipsec update`. It's also possible to install/uninstall such policies manually via `ip xfrm policy`. – ecdsa Aug 03 '15 at 10:40

1 Answers1

5

I can't add comment due to a low reputation, so here it is..

When it is up all traffic goes via the tunnel including internet traffic.

That can't be. Your specify on server 'leftsubnet=172.31.38.36/32', so client's 'rightsubnet=0.0.0.0/0' will be narrowed to just this one host.

In order to route all traffic to VPN, you need 'leftsubnet=0.0.0.0/0' on server too.

In default configuration, Strongswan adds route to server's subnet in table 220, which in case of server subnet '0.0.0.0/0' looks like:

$ ip route list table 220
default via 192.168.2.9 dev wlan0  proto static  src 10.3.0.2

And this table has precedence over 'main' routing table used by default:

$ ip rule list
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

So, when client sends packet to local LAN, this packet is routed by table 220, which does not have route to local LAN - only default route to VPN server. Thus, to not route local LAN's packets into VPN, you just need to add route to local LAN in table 220, like:

$ ip route add table 220 192.168.1.0/24 dev wlan0

So, the table 220 now will look like:

default via 192.168.2.9 dev wlan0  proto static  src 10.3.0.2
192.168.2.0/24 dev wlan0  scope link

Another possible solution is to use 'main' routing table for routing VPN subnet ('routing_table = 32766' in strongswan.conf), because it will already have route to local LAN. But in that case current default route will be a problem: strongswan will not add another default route, if there is already one..

Dmitriy Matrosov
  • 51
  • 1
  • 3