Allow Strongswan roadwarrior to access local LAN

strongswan

I have successfully established an IPSec tunnel between my local Linux host and a remote VPN gateway. I am using virtual IPs assign by the gateway because being a roadwarrior my local LAN subnet is not fixed.

When it is up all traffic goes via the tunnel including internet traffic. What I would like is all traffic except for the local subnet to route throught the tunnel. I have read and re-read the Strongswan documentation but I cannot work out how to do this.

What do I need to do?

Local ipsec.conf

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=secret


conn VPN
        left=%any
        leftsourceip=%config
        [email protected]
        leftfirewall=yes
        right=52.n.n.n
        rightsubnet=0.0.0.0/0
        [email protected]
        auto=add

Server ipsec.conf

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2


conn AWSVPN
    left=%any
    leftsubnet=172.31.38.36/32
    [email protected]
    leftfirewall=yes
    authby=secret
    right=%any
    rightsourceip=10.3.0.0/28
    auto=add

Gateway

IP: 172.31.38.36 Subnet: 172.31.32.0/20

My machine

IP: 192.168.1.150 (can change) Subnet: 192.168.1.0/24 (can change) Virtual IP: 10.3.0.1 (assigned by Strongswan gateway)

EDIT:

I have managed to exclude the local network by adding this but the subnet is hardcoded:

conn local-net
    leftsubnet=192.168.1.0/24
    rightsubnet=192.168.1.0/24
    authby=never
    type=pass
    auto=route

Solution 1:

I can't add comment due to a low reputation, so here it is..

When it is up all traffic goes via the tunnel including internet traffic.

That can't be. Your specify on server 'leftsubnet=172.31.38.36/32', so client's 'rightsubnet=0.0.0.0/0' will be narrowed to just this one host.

In order to route all traffic to VPN, you need 'leftsubnet=0.0.0.0/0' on server too.

In default configuration, Strongswan adds route to server's subnet in table 220, which in case of server subnet '0.0.0.0/0' looks like:

$ ip route list table 220
default via 192.168.2.9 dev wlan0  proto static  src 10.3.0.2

And this table has precedence over 'main' routing table used by default:

$ ip rule list
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

So, when client sends packet to local LAN, this packet is routed by table 220, which does not have route to local LAN - only default route to VPN server. Thus, to not route local LAN's packets into VPN, you just need to add route to local LAN in table 220, like:

$ ip route add table 220 192.168.1.0/24 dev wlan0

So, the table 220 now will look like:

default via 192.168.2.9 dev wlan0  proto static  src 10.3.0.2
192.168.2.0/24 dev wlan0  scope link

Another possible solution is to use 'main' routing table for routing VPN subnet ('routing_table = 32766' in strongswan.conf), because it will already have route to local LAN. But in that case current default route will be a problem: strongswan will not add another default route, if there is already one..

Inheriting file ownership on linux

How can I improve NFS performance on a gigabit LAN?

Apache and linux file permissions

If $U$ is a real measurable function s.t. $\int_{B_1(x)}\frac{1}{U(y)} dy\to 0$, does $\int_{B_1(x)}\frac{1}{U(y)+a} dy\to 0$, too?

Baby Rudin theorem 10.20

What needed to be checked for a topological subgroup?

Relationship between angle of vectors and orthogonalization

Arzelà–Ascoli $\implies$ Dini's theorem

Why does the graph of $\sqrt[3]{x}$ look like that on GeoGebra although $x^3$ is a one-to-one function

$\lim_{n\to +\infty}\left(\frac{\ln x_n}{\sqrt[n]{e}-1}-n\right)$ where $x_n=\sum_{k=0}^n \frac{1}{k!}$ [closed]

Chern number of a product of complex projective lines

Let $f \in L^1(\mathbb{R})$ and $p$ a polynomial of deg $m$. Does $f / p \in L^1$ imply $x^m f / p \in L^1$ or vice versa?