Am 29.03.19 um 16:54 schrieb Tony Phillips: > When my tunnel comes up, locations at the destination of the VPN are > reachable as desired. > > However, in my use case, I want to prevent anything talking to the client on > its real interface (bypassing the tunnel). Right now, even with the tunnel > up, I can SSH into the client's real eth0 interface's IP address *and* the > tunnel IP address. > > I've tried removing the original default route (and of course adding a > host-specific route so the client knows how to get to the VPN server), but > still doesn't stop traffic from "outside" the VPN from reaching the client. > > Here's my ipsec.conf file: > > config setup > charondebug=1 > > conn %default > ikelifetime=20m > reauth=yes > rekey=yes > keylife=10m > rekeymargin=3m > rekeyfuzz=0% > keyingtries=1 > type=tunnel > > conn test > keyexchange=ikev1 > ikelifetime=1440m > keylife=60m > aggressive=yes > ike=aes-sha1-modp1024 > esp=aes-sha1 > xauth=client > left=10.181.43.20 > leftid=(omitted) > leftsourceip=%modeconfig > leftauth=psk > rightauth=psk > leftauth2=xauth > right=10.248.1.2 > rightsubnet=0.0.0.0/ > xauth_identity=test > auto=add > > From my understanding of the documentation, what I'm asking for SHOULD be the > default behavior. But I'm obviously missing something. > > The address I'm given by the VPN server is in the 10.248.60/19 range. > > >
Set up a local firewall. Trigger it with the setup of the tunnel. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature