[Openswan Users]Can't ssh into external interface when tunnel up
with "leftsubnet=0.0.0.0/0"
bigred at teksavvy.com
bigred at teksavvy.com
Fri Aug 12 13:37:16 CEST 2005
-----Original message-----
From: Paul Wouters paul at xelerance.com
Date: Fri, 12 Aug 2005 11:52:11 -0400
To: bigred at teksavvy.com
Subject: Re: [Openswan Users]
> On Fri, 12 Aug 2005, bigred at teksavvy.com wrote:
>
> > Here's my connection description:
> >
> > conn my-connection
> > authby=rsasig
> > leftid=@freeswan-gateway.kpsi.com
> > leftrsasigkey=a rsasig
> > left=a.b.c.d
> > leftsubnet=0.0.0.0/0
> > rightsubnet=172.26.47.0/24
> > rightid=@9997.kpsi.com
> > rightrsasigkey=a different rsasig
> > right=%defaultroute
> > auto=start
> >
> > The linux box is connected to a PPPOE based dsl connection that gives me an IP of e.f.g.h and a default gateway of w.x.y.z.
> > The internal interface IP is 172.26.47.100.
> >
> > When the tunnel is down I can ssh to e.f.g.h fine. When the tunnel is up, I can't ssh to e.f.g.h but can
> > (obviously using the tunnel) ssh to 172.26.47.0/24. As a test, I changed leftsubnet=0.0.0.0/0 to 192.168.1.0/24
> > (and made the corresponding changes on the other end) and I could ssh to e.f.g.h regardless of whether the tunnel
> > was up or down.
>
> Are you trying to ssh from the remote VPN endpoint? I do not understand the
> issue still. I have servers connecting that receive a subnet and use a
> rightsubnet=0.0.0.0/0 but I could always just reach the server by either its
> real PPPOE IP address, or one of the IP's from the subnet it used itself.
I'm trying to ssh from an IP that is completely indepedent from any of the IP's involved with the tunnel (it's actually a completely different ISP) to e.f.g.h .
>
> Are you using: include /etc/ipsec.d/examples/no_oe.conf to disable OE?
I'm using Freeswan 1.91 so I don't thnk OE is an issue here
>
> You can try adding a passthrough conn :
>
> conn exclude-remote
> authby=never
> left=e.f.g.h
> right=%any
> type=passthrough
> auto=route
More information about the Users
mailing list