[Openswan Users]Can't ssh into external interface when tunnel up
with "leftsubnet=0.0.0.0/0"
bigred at teksavvy.com
bigred at teksavvy.com
Fri Aug 12 12:13:49 CEST 2005
-----Original message-----
From: Paul Wouters paul at xelerance.com
Date: Thu, 11 Aug 2005 17:56:39 -0400
To: bigred at teksavvy.com
Subject: Re: [Openswan Users]
> On Thu, 11 Aug 2005, bigred at teksavvy.com wrote:
>
> > Using Freeswan 1.91.
>
> That must be over five years old.......
>
> > I have a tunnel where leftsubnet is 0.0.0.0/0 (the Freeswan documentation refers to this as "The Internet as a big subnet"). When the tunnel is down I can ssh to the external IP fine. When the tunnel is up, I ssh across the tunnel fine, but can't ssh to the external IP. I've spent days trying to find a solution to this the problem with no success.
>
> I am not entirely sure from where to where you are trying to ssh. Can you give some more information?
Thanks for responding - I've never used a mailing list before so please bear with me if I'm doing things
incorrectly as I'm a newbie.
Here's my connection description:
conn my-connection
authby=rsasig
leftid=@freeswan-gateway.kpsi.com
leftrsasigkey=a rsasig
left=a.b.c.d
leftsubnet=0.0.0.0/0
rightsubnet=172.26.47.0/24
rightid=@9997.kpsi.com
rightrsasigkey=a different rsasig
right=%defaultroute
auto=start
The linux box is connected to a PPPOE based dsl connection that gives me an IP of e.f.g.h and a default gateway of w.x.y.z.
The internal interface IP is 172.26.47.100.
When the tunnel is down I can ssh to e.f.g.h fine. When the tunnel is up, I can't ssh to e.f.g.h but can
(obviously using the tunnel) ssh to 172.26.47.0/24. As a test, I changed leftsubnet=0.0.0.0/0 to 192.168.1.0/24
(and made the corresponding changes on the other end) and I could ssh to e.f.g.h regardless of whether the tunnel
was up or down.
I am trying to set the VPN box up so I can always ssh (from the outside) to e.f.g.h. and, when the tunnel is up, ssh (using the tunnel) to
172.26.47.100. At the same time, everything from the righsubnet is forced to go across the tunnel to access the internet
("The Internet as a big subnet").
Here's my routing table:
[root at 9997 /root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
w.x.y.z 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
w.x.y.z 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
172.26.47.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 w.x.y.z 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 w.x.z.z 128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 w.x.y.z 0.0.0.0 UG 0 0 0 ppp0
I think the route(s) that Freeswan adds play a role in the problem, specifically:
0.0.0.0 w.x.y.z 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 w.x.z.z 128.0.0.0 UG 0 0 0 ipsec0
At this point I'm stumped and would appreciate any suggestions you might have.
Vaughan
>
> Paul
More information about the Users
mailing list