Hello, I have a server with Ubuntu 16.04.5 LTS as an IPSec server, which acts as a gateway to a LAN network (192.168.1.0/24). It's going to be a gateway for many roadwarriors. It needs to be as secure as possible. My target is to setup IPSec on Strongswan + IKEv2 + public key authentication compatible with current Linux distributions, current Android and Windows 7+. Also i wish the client machines would have to use their own Internet connection, but have access to servers on the LAN. I've generated all certificates and am able to connect/authenticate. The problem is that i can't reach devices on the LAN (192.168.1.201/24). So far i have only tested it on Android and strongSwan application. Here's my /etc/ipsec.conf: Code: config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" uniqueids=yes conn %default keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1-modp1024! esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes128-sha256-modp1024,aes128-sha256-modp2048,3des-sha1! dpdaction=restart dpddelay=60s ikelifetime=60m keylife=20m keyingtries=%forever fragmentation=yes closeaction=restart left=%defaultroute [email protected] leftauth=pubkey leftcert=vpnHostCert.der leftsendcert=always leftsubnet=0.0.0.0/0 right=%any auto=add conn mobile rightsourceip=10.42.42.1 rightdns=8.8.8.8 rightsendcert=never leftsubnet=10.42.42.0/24 lefthostaccess=yes conn IPSec-IKEv2 keyexchange=ikev2 auto=add Please feel free to turn this file upside down and ask for whatever might be missing. Thanks in advance.
I'm trying to go through: https://www.strongswan.org/testing/testresults/ikev2/virtual-ip/ as it seems to be what i want, but without luck so far.
You need to add forwarding to firewalld firewall-cmd --zone=public --permanent --add-forward firewall-cmd --reload
