The problem: after establishing an IPsec VPN tunnel all traffic is routed to the remote endpoint, while I only need to route the packets destined to that internal network and still be able to access the internet on my local machine. Currently, when I enable the according VPN connection – all connectivity drops, meaning it's not possible to reach this machine over my LAN or access the internet through it (there is a restriction on the remote end for further WAN forwarding). So, only the VPN works in this case.
The topology: http://i.imgur.com/9HEru.png
I'm using OpenSwan on a Debian-based distro and also behind NAT (traversal enabled).
Here are the details of ipsec.conf:
version 2.0
config setup
plutodebug="none"
plutoopts="–perpeerlog"
plutoopts="–interface=wlan2"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.196.0.0/17,%v4:!192.168.1.0/24
oe=off
protostack=netkeyconn z
authby=secret
keylife=1h
pfs=yes
auto=add
phase2alg=aes128-sha1;modp1024
keyingtries=3
ikelifetime=8h
type=tunnel
left=192.168.1.76
leftsubnet=0.0.0.0/0
leftprotoport=0/0
right=y.y.y.y
rightsubnet=0.0.0.0/0
rightprotoport=0/0
Here are partial details of ifconfig:
wlan0 Link encap:Ethernet HWaddr 00:13:02:46:42:8d
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)wlan2 Link encap:Ethernet HWaddr 94:0c:6d:8d:28:0f
inet addr:192.168.1.76 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::960c:6dff:fe8d:280f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:125221 errors:0 dropped:0 overruns:0 frame:0
TX packets:89332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:151498702 (151.4 MB) TX bytes:18233148 (18.2 MB)
Here are the details of route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan2
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan2
192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan2
As you can see – the machine is connected over WiFi on wlan2 and this is the interface that is taking part in the VPN setup. So, what would you suggest doing, in order to solve the problem of losing internet access after enabling the tunnel? Thank you.
Best Answer
This is the problem:
with this line you tell openswan that the endpoint of the tunnel is "everything", so all packets are routed through the vpn.
Replace 0.0.0.0/0 with the network(s) you want to reach behind the gateway. The config on the client and server has to match, so edit both.