IPSec + IKEV2 + pub. key authentication - no access to lan

Discussion in 'Installation/Configuration' started by Leszek, Dec 14, 2018.

  1. Leszek

    Leszek Member

    Hello,
    I have a server with Ubuntu 16.04.5 LTS as an IPSec server, which acts as a gateway to a LAN network (192.168.1.0/24). It's going to be a gateway for many roadwarriors. It needs to be as secure as possible.
    My target is to setup IPSec on Strongswan + IKEv2 + public key authentication compatible with current Linux distributions, current Android and Windows 7+. Also i wish the client machines would have to use their own Internet connection, but have access to servers on the LAN.
    I've generated all certificates and am able to connect/authenticate.
    The problem is that i can't reach devices on the LAN (192.168.1.201/24).
    So far i have only tested it on Android and strongSwan application.

    Here's my /etc/ipsec.conf:

    Code:
    config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
        uniqueids=yes
    
    conn %default
        keyexchange=ikev2
        ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1-modp1024!
        esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1!
        dpdaction=restart
        dpddelay=60s
        ikelifetime=60m
        keylife=20m
        keyingtries=%forever
        fragmentation=yes
        closeaction=restart
        left=%defaultroute
        [email protected]
        leftauth=pubkey
        leftcert=vpnHostCert.der
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        auto=add
    
    conn mobile
        rightsourceip=10.42.42.1
        rightdns=8.8.8.8
        rightsendcert=never
        leftsubnet=10.42.42.0/24
        lefthostaccess=yes
    
    conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add
    
    Please feel free to turn this file upside down and ask for whatever might be missing.

    Thanks in advance.
     
  2. Leszek

    Leszek Member

Share This Page