<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi. I’m trying to do a full tunnel setup between my remote host and central location (Both private and public internet traffic). Got my VPN setup working on the first ethernet interface (eth0), however, as soon as I’m trying to get an other device plugged in the second ethernet port of the VPN gateway (eth1), it will not work (Reports that the IP address is taken). So I cannot use any devices on the second ethernet interface. But from the central network, I can ping the remote IP address (Ping to 172.24.1.1 is successful). <div class=""><div class=""><br class=""></div><div class="">However, if I remove the "rightsubnet=172.24.1.0/24” statement from the server config, I can now use devices connected to the second ethernet interface of the remote host but routing is completely dead. </div><div class=""><br class=""></div><div class="">Remote host is a simple OrangePi R1 with 2 ethernet interface. Primary interface is on DHCP address (and has to be deployed that way) while the second ethernet interface (that will be used for other users) is using 172.24.1.0/24 subnet. DHCP server can be activated on this host, but right now, it’s not ON. </div><div class=""><br class=""></div><div class="">There is no real need to access the remote network from the main network, so I would be OK doing some NAT on the remote box. But either would works perfectly. (Also tried to do NAT on the remote box, but I’m unable to NAT traffic to the VPN connection at all)</div><div class=""><br class=""></div><div class="">Any ideas to get this setup working reliably?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">(Domain names and Public IP addresses were modified.)</div><div class=""><br class=""></div><div class="">Configs:<br class=""><div class=""><br class=""></div><div class=""><b class="">Server Host:</b></div><div class=""><br class=""></div><div class="">    strictcrlpolicy=yes<br class="">    uniqueids=no<br class="">    cachecrls=yes<br class=""><br class="">conn %default<br class=""><span class="Apple-tab-span" style="white-space:pre">     </span>keyexchange=ikev2<br class=""><span class="Apple-tab-span" style="white-space:pre">      </span>keyingtries=4<br class=""><span class="Apple-tab-span" style="white-space:pre">  </span>forceencaps=yes<br class=""><span class="Apple-tab-span" style="white-space:pre">        </span>ikelifetime=2h<br class="">        lifetime=1h</div><div class=""><br class=""></div><div class="">conn IPSec-IKEv2-OR1<br class="">#<br class="">        ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!<br class="">        esp=chacha20poly1305-curve25519-x25519!<br class="">#<br class="">    auto=add<br class="">    fragmentation=yes<br class="">    dpdaction=clear<br class="">    dpddelay=300s<br class="">    reauth=no<br class="">    rekey=no<br class="">    authby=secret<br class="">#<br class="">    left=%any<br class="">    <a href="mailto:leftid=@neo.domain.com" class="">leftid=@neo.domain.com</a><br class="">    leftsubnet=0.0.0.0/0<br class=""><br class="">    fragmentation=yes<br class="">    right=%any<br class="">    rightid=@or1.domain.com<br class="">    rightsubnet=172.24.1.0/24<br class="">    rightsourceip=172.24.11.0/30</div><div class=""><br class=""></div><div class="">ipsec statusall</div><div class=""><br class=""></div><div class=""><div class=""><br class=""></div><div class="">IPSec-IKEv2-OR1:  %any...%any  IKEv2, dpddelay=300s</div><div class="">IPSec-IKEv2-OR1:   local:  [<a href="http://neo.domain.com" class="">neo.domain.com</a>] uses pre-shared key authentication</div><div class="">IPSec-IKEv2-OR1:   remote: [<a href="http://or1.domain.com" class="">or1.domain.com</a>] uses pre-shared key authentication</div><div class="">IPSec-IKEv2-OR1:   child:  0.0.0.0/0 === 172.24.1.0/24 TUNNEL, dpdaction=clear</div><div class="">Security Associations (1 up, 0 connecting):</div><div class="">IPSec-IKEv2-OR1[27]: ESTABLISHED 15 hours ago, 172.22.43.25[<a href="http://neo.domain.com" class="">neo.domain.com</a>]...65.30.10.30[<a href="http://or1.domain.com" class="">or1.domain.com</a>]</div><div class="">IPSec-IKEv2-OR1[27]: IKEv2 SPIs: 11ab39c596594827_i b99ac8c02c1a67cb_r*, rekeying disabled</div><div class="">IPSec-IKEv2-OR1[27]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521</div><div class="">IPSec-IKEv2-OR1{9}:  INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: cbeb450d_i c0060d1c_o</div><div class="">IPSec-IKEv2-OR1{9}:  CHACHA20_POLY1305, 5278 bytes_i (52 pkts, 474s ago), 15195 bytes_o (49 pkts, 474s ago), rekeying disabled</div><div class="">IPSec-IKEv2-OR1{9}:   0.0.0.0/0 === 172.24.1.0/24</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><b class="">Remote Host:</b></div><div class=""><br class=""></div><div class="">   strictcrlpolicy=yes<br class="">    uniqueids=no<br class="">    cachecrls=yes<br class=""><br class="">conn %default<br class="">        keyexchange=ikev2<br class="">        keyingtries=4<br class="">        forceencaps=yes<br class="">        ikelifetime=2h<br class="">        lifetime=1h<br class=""><div class=""><br class=""></div><div class=""><br class=""></div>conn IPSec-IKEv2-OR1<br class="">#<br class="">#<br class="">        ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!<br class="">        esp=chacha20poly1305-curve25519-x25519!<br class=""><br class="">#<br class="">    auto=start<br class="">    fragmentation=yes<br class="">    dpdaction=clear<br class="">    dpddelay=300s<br class="">    reauth=no<br class="">    rekey=no<br class="">    authby=secret<br class="">#<br class="">    left=%any<br class="">    <a href="mailto:leftid=@or1.domain.com" class="">leftid=@or1.domain.com</a><br class="">    leftsubnet=172.24.1.0/24,172.24.11.0/30<br class="">    leftsourceip=%config<br class="">    leftupdown=/etc/nat_updown<br class="">#<br class="">    fragmentation=yes<br class="">    right=some_dynamicDNS.duckdns.org<br class="">    rightid=@neo.domain.com <br class="">    rightsubnet=0.0.0.0/0</div></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">ipsecc statusall:</div><div class=""><br class=""></div><div class=""><div class="">IPSec-IKEv2-OR1:  %any...<a href="http://some_dynamicdns.duckdns.org" class="">some_dynamicDNS.duckdns.org</a>  IKEv2, dpddelay=300s</div><div class="">IPSec-IKEv2-OR1:   local:  [<a href="http://or1.domain.com" class="">or1.domain.com</a>] uses pre-shared key authentication</div><div class="">IPSec-IKEv2-OR1:   remote: [<a href="http://neo.domain.com" class="">neo.domain.com</a>] uses pre-shared key authentication</div><div class="">IPSec-IKEv2-OR1:   child:  172.24.1.0/24 172.24.11.0/30 === 0.0.0.0/0 TUNNEL, dpdaction=clear</div><div class="">Security Associations (1 up, 0 connecting):</div><div class="">IPSec-IKEv2-OR1[1]: ESTABLISHED 14 hours ago, 172.22.43.80[<a href="http://or1.domain.com" class="">or1.domain.com</a>]...65.10.20.40[<a href="http://neo.domain.com" class="">neo.domain.com</a>]</div><div class="">IPSec-IKEv2-OR1[1]: IKEv2 SPIs: 11ab39c596594827_i* b99ac8c02c1a67cb_r, rekeying disabled</div><div class="">IPSec-IKEv2-OR1[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521</div><div class="">IPSec-IKEv2-OR1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0060d1c_i cbeb450d_o</div><div class="">IPSec-IKEv2-OR1{1}:  CHACHA20_POLY1305, 10881 bytes_i (46 pkts, 363s ago), 5278 bytes_o (52 pkts, 363s ago), rekeying disabled</div><div class="">IPSec-IKEv2-OR1{1}:   172.24.1.0/24 === 0.0.0.0/0</div></div></body></html>