cannot ping gateway after ipsec up vpn

0

After sudo ipsec up vpn, I cannot ping 192.168.1.1. It also adds 10.0.0.226 to ip addr. traceroute 192.168.1.1 yields 3 hops:

1. 23.81.21.124
2. 23.81.21.121.rdns.pingpipe.com
3. 23.108.56.0

sudo ip route add -net 192.168.1.1 netmask 255.255.255 gw 23.81.21.124 dev enp0s3 yields SIOCADDRT: Network is unreachable.

cat /etc/ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

# Add connections here.
conn DATVPNTHO
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=300s
  eap_identity="THIS_ID_THO"
  leftauth=eap-mschapv2
  left=%defaultroute
  leftsourceip=%config
  right=whutaboutdatservertho
  rightauth=pubkey
  rightsubnet=0.0.0.0/0
  rightid=%any
  type=tunnel
  auto=add

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

How can I ping 192.168.1.1 after sudo ipsec up vpn?

Walrus the Cat

Posted 2017-12-09T21:02:55.553

Reputation: 240

Answers

0

You need to reconfigure your VPN to split tunnel. VPNs move your default route to the remote end of an encrypted tunnel, making the rest of your local network inaccessible. Split tunnel gives you an extra local route that won't go through the VPN so you can still reach other local hosts. Why do you need to ping 192.168.1.1 anyway?

scalefree

Posted 2017-12-09T21:02:55.553

Reputation: 31

this is a virtual machine and i can't ssh into the box anymore. thanks for your feedback. do you have any terminal code that can do what you are proposing? – Walrus the Cat – 2017-12-12T16:57:09.620

Are you saying 192.168.1.1 is a VM hosted on your local system? Sounds like it's configured to have its own IP distinct from the host's. Do you need to be able to reach it from other hosts on your local network? If not the easiest solution is probably to change its connection type to Share Host's IP. – scalefree – 2017-12-13T02:20:51.937

Can you post your ipsec.conf file? Would be easiest way to suggest changes. – scalefree – 2017-12-13T06:11:22.073

192.168.1.1 is the LAN router. yep -- the VM is bridged so it has its own legit IP address on that network. i do need to be able to reach it from hosts on the local network, yes. – Walrus the Cat – 2017-12-13T06:16:51.370

Asked: 2017-12-09T21:02:55.553

Viewed: 575 times

Active: 2017-12-13T06:20:03.400