[Openswan Users]Can't ssh into external interface when tunnel up with "leftsubnet=0.0.0.0/0"

bigred at teksavvy.com bigred at teksavvy.com
Fri Aug 12 12:13:49 CEST 2005


-----Original message-----
From: Paul Wouters paul at xelerance.com
Date: Thu, 11 Aug 2005 17:56:39 -0400
To: bigred at teksavvy.com
Subject: Re: [Openswan Users]

> On Thu, 11 Aug 2005, bigred at teksavvy.com wrote:
> 
> > Using Freeswan 1.91.
> 
> That must be over five years old.......
> 
> > I have a tunnel where leftsubnet is 0.0.0.0/0 (the Freeswan documentation refers to this as "The Internet as a big subnet").  When the tunnel is down I can ssh to the external IP fine.  When the tunnel is up, I ssh across the tunnel fine, but can't ssh to the external IP.  I've spent days trying to find a solution to this the problem with no success.
> 
> I am not entirely sure from where to where you are trying to ssh. Can you give some more information?

Thanks for responding - I've never used a mailing list before so please bear with me if I'm doing things 
incorrectly as I'm a newbie.

Here's my connection description:

conn my-connection
       authby=rsasig
       leftid=@freeswan-gateway.kpsi.com
       leftrsasigkey=a rsasig
       left=a.b.c.d
       leftsubnet=0.0.0.0/0
       rightsubnet=172.26.47.0/24
       rightid=@9997.kpsi.com
       rightrsasigkey=a different rsasig
       right=%defaultroute
       auto=start

The linux box is connected to a PPPOE based dsl connection that gives me an IP of e.f.g.h and a default gateway of w.x.y.z. 
The internal interface IP is 172.26.47.100.  

When the tunnel is down I can ssh to e.f.g.h fine.  When the tunnel is up, I can't ssh to e.f.g.h but can
(obviously using the tunnel) ssh to 172.26.47.0/24.  As a test, I changed leftsubnet=0.0.0.0/0 to 192.168.1.0/24
(and made the corresponding changes on the other end) and I could ssh to e.f.g.h regardless of whether the tunnel 
was up or down.  

I am trying to set the VPN box up so I can always ssh (from the outside) to e.f.g.h.  and, when the tunnel is up, ssh (using the tunnel) to 
172.26.47.100. At the same time, everything from the righsubnet is forced to go across the tunnel to access the internet 
("The Internet as a big subnet").

Here's my routing table:

[root at 9997 /root]# route -n
Kernel IP routing table
Destination       Gateway                Genmask         Flags Metric Ref    Use Iface
w.x.y.z             0.0.0.0              255.255.255.255  UH    0      0        0 ppp0
w.x.y.z             0.0.0.0              255.255.255.255  UH    0      0        0 ipsec0
172.26.47.0     0.0.0.0               255.255.255.0      U       0      0        0 eth1
192.168.254.0 0.0.0.0               255.255.255.0      U       0      0        0 eth0
127.0.0.0         0.0.0.0               255.0.0.0              U       0      0        0 lo
0.0.0.0             w.x.y.z               128.0.0.0              UG     0      0        0 ipsec0
128.0.0.0         w.x.z.z               128.0.0.0              UG     0      0        0 ipsec0
0.0.0.0             w.x.y.z               0.0.0.0                  UG     0      0        0 ppp0


I think the route(s) that Freeswan adds play a role in the problem, specifically:

0.0.0.0             w.x.y.z               128.0.0.0              UG     0      0        0 ipsec0
128.0.0.0         w.x.z.z               128.0.0.0              UG     0      0        0 ipsec0

At this point I'm stumped and would appreciate any suggestions you might have.

Vaughan



> 
> Paul



More information about the Users mailing list