Answer the question
In order to leave comments, you need to log in
How to disable all traffic routing through VPN in Ubuntu?
Honestly, I'm not familiar with the iptables settings and any routing on Linux in general, so if you need any configs or logs other than those given, write.
Thanks in advance for your help.
So. Installed packages strongswan, nm-strongswan, network-manager-strongswan.
Connection (client) via IKEV2 (certificates) - there is a connection, but it redirects all traffic over the VPN.
If you specify Use this connection only for resources on its network in the settings, all traffic is redirected anyway, i.e. no access to network resources.
Gateway: 10.10.16.1
VPN Gateway: 10.10.10.5
ip route show:
default via 10.10.16.1 dev eth0 proto static
10.10.1.0 via 10.10.10.5 dev tun0 proto static metric 200
dev tun0 proto static scope link
10.10.16.0/26 dev eth0 proto kernel scope link src 10.10.16.60 metric 1
ip route show table local:
local 10.10.1.13 dev eth0 proto kernel scope host src 10.10.1.13
local 10.10.1.13 dev tun0 proto kernel scope host src 10.10.1.13
broadcast 10.10.1.13 dev tun0 proto kernel scope link src 10.10.1.13
broadcast 10.10.16.0 dev eth0 proto kernel scope link src 10.10.16.60
local 10.10.16.60 .16.60
broadcast 10.10.16.63 dev eth0 proto kernel scope link src 10.10.16.60
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
ip rule:
0: from all lookup local
220: from all lookup 220
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
There was an idea to configure the connection manually via ipsec.conf:
conn hide
eap_identity=%any
keyexchange=ikev2
right=* Server Address*
rightsubnet=0.0.0.0/0
rightid=%any
leftauth=pubkey
rightauth=%any
leftca=/etc/ipsec.d/cacerts/strongswanCert.pem
leftcert=/etc/ipsec.d/certs/*User certificate*.der
left=%defaultroute
leftfirewall=yes
mobike=yes
auto=add
ipsec.secrets:
: RSA /etc/ipsec.d/certs/*user certificate key *.der
End of log:
initiating IKE_SA hide[1] to *Server address*
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from *IPMachine*[500] to *Server address*[ 500] (1076 bytes)
received packet: from *Server address*[500] to *IPMachine*[500] (273 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alive
received cert request for "*root certificate*"
sending cert request for "*root certificate*"
authentication of '*user certificate*' (myself) with RSA signature successful
sending end entity cert "*user certificate*"
establishing CHILD_SA hide
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from *IPMachine*[4500] to *ServerAddress*[4500] (1968 bytes)
received packet: from *Server address*[4500] to *IPMachine*[4500] (1648 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(FAIL_CP_REQ) N (TS_UNACCEPT)]
received end entity cert "*apparently the key from the user certificate*"
using certificate "*apparently the key from the user certificate*"
using trusted ca certificate "*root certificate*"
checking certificate status of "*apparently the key from the user certificate*"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of '*apparently the key from the user's certificate*' with RSA signature successful
IKE_SA hide[1] established between *IPMachine*[*user certificate*]...*Address server*[*apparently the key from the user certificate*]
scheduling reauthentication in 10034s
maximum IKE_SA lifetime 10574s
received FAILED_CP_REQUIRED notify,no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'hide' failed
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question