<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Excellent Tobias, now it connects!<div class="">Thank you.<br class=""><div class=""><br class=""></div><div class="">The only remaining question is how to get to the internet beyond the VPN server. I am using it to appear with a different IP address. After connection nothing is reachable. I use this configuration:<div class=""><br class=""></div><div class="">—</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">config setup</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(82, 48, 225); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures; color: rgb(0, 0, 0);" class="">        charondebug=</span><span style="color: rgb(195, 55, 32); font-variant-ligatures: no-common-ligatures;" class="">"cfg 2, dmn 2, ike 2, net 2"</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">conn %default</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        keyexchange=ikev2</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; color: rgb(82, 48, 225); background-color: rgb(255, 255, 255);" class="">        leftsendcert=always</div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        ikelifetime=60m</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        keylife=20m</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        rekeymargin=3m</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        keyingtries=1</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255); min-height: 13px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">conn ios10</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        leftid=server</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        leftcert=peerCert.der</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        rightauth=eap-mschapv2</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        leftsubnet=0.0.0.0/0</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        rightsourceip=192.168.10.0/24   ### Added this to get an IP address</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        rightdns=8.8.8.8,8.8.4.4        ### Added this to get DNS servers</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">        auto=add</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">--</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><div class="">Also, I ran these commands to enable forwarding (found on a different site):</div><div class=""><br class=""></div><div class=""><pre class="line-numbers language-bash" style="box-sizing: border-box; font-family: Consolas, Monaco, 'Andale Mono', monospace; font-size: 0.8125rem; -webkit-hyphens: none; background-color: rgb(245, 242, 240); margin-top: 0.5em; margin-bottom: 0.5em; overflow: auto; padding: 1em 1em 1em 3.8em; width: 750px; word-wrap: normal; text-shadow: white 0px 1px; direction: ltr; tab-size: 4; position: relative; counter-reset: linenumber 0;"><code class=" language-bash" style="box-sizing: border-box; font-family: Consolas, Monaco, 'Andale Mono', monospace; font-size: 0.8125rem; -webkit-hyphens: none; text-shadow: white 0px 1px; direction: ltr; word-spacing: normal; tab-size: 4; position: relative;"># <span class="token keyword" style="box-sizing: border-box; color: rgb(0, 119, 170);">echo</span> <span class="token number" style="box-sizing: border-box; color: rgb(153, 0, 85);">1</span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">></span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>proc<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>sys<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>net<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>ipv4<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>ip_forward
# <span class="token keyword" style="box-sizing: border-box; color: rgb(0, 119, 170);">echo</span> <span class="token number" style="box-sizing: border-box; color: rgb(153, 0, 85);">0</span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">></span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>proc<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>sys<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>net<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>ipv4<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>conf<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>all<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>accept_redirects
# <span class="token keyword" style="box-sizing: border-box; color: rgb(0, 119, 170);">echo</span> <span class="token number" style="box-sizing: border-box; color: rgb(153, 0, 85);">0</span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">></span> <span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>proc<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>sys<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>net<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>ipv4<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>conf<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>all<span class="token operator" style="box-sizing: border-box; color: rgb(166, 127, 89); background-color: rgba(255, 255, 255, 0.498039); background-position: initial initial; background-repeat: initial initial;">/</span>send_redirects</code></pre><div class=""><br class=""></div></div><div class="">But I still cannot reach anything beyond the VPN server.</div><div class=""><br class=""></div><div class="">Any ideas?</div><div class=""><br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 16, 2017, at 4:01 PM, Tobias Brunner <<a href="mailto:tobias@strongswan.org" class="">tobias@strongswan.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi Klaus,<br class=""><br class=""><blockquote type="cite" class="">Is that necessary? I use<br class="">username/password authentication of the clients and the clients don’t<br class="">care about the server certificate.<br class=""></blockquote><br class="">Yes, the CA certificate (caCert.der) has to be installed on the clients.<br class=""> They won't trust the server certificate otherwise.<br class=""><br class="">Regards,<br class="">Tobias<br class=""><br class=""></div></div></blockquote></div><br class=""></div></div></div></div></div></div></body></html>