IPSec + IKEV2 + pub. key authentication - no access to lan

Hello,
I have a server with Ubuntu 16.04.5 LTS as an IPSec server, which acts as a gateway to a LAN network (192.168.1.0/24). It's going to be a gateway for many roadwarriors. It needs to be as secure as possible.
My target is to setup IPSec on Strongswan + IKEv2 + public key authentication compatible with current Linux distributions, current Android and Windows 7+. Also i wish the client machines would have to use their own Internet connection, but have access to servers on the LAN.
I've generated all certificates and am able to connect/authenticate.
The problem is that i can't reach devices on the LAN (192.168.1.201/24).
So far i have only tested it on Android and strongSwan application.

Here's my /etc/ipsec.conf:

Code:

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
    uniqueids=yes

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1-modp1024!
    esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1!
    dpdaction=restart
    dpddelay=60s
    ikelifetime=60m
    keylife=20m
    keyingtries=%forever
    fragmentation=yes
    closeaction=restart
    left=%defaultroute
    [email protected]
    leftauth=pubkey
    leftcert=vpnHostCert.der
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    auto=add

conn mobile
    rightsourceip=10.42.42.1
    rightdns=8.8.8.8
    rightsendcert=never
    leftsubnet=10.42.42.0/24
    lefthostaccess=yes

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

Please feel free to turn this file upside down and ask for whatever might be missing.

Thanks in advance.

 

I'm trying to go through: https://www.strongswan.org/testing/testresults/ikev2/virtual-ip/ as it seems to be what i want, but without luck so far.

 

You need to add forwarding to firewalld
firewall-cmd --zone=public --permanent --add-forward
firewall-cmd --reload