<div dir="ltr"><div dir="ltr">Hi<div><br></div><div>Try configuring your vpn-server as below:</div><div><br></div><div>For Split-Tunnel:<br>---------------------<br><br>conn WindowsAndroidOtherClients_wEAP<br>        left=<your-public-internet-ipaddr-here><br>        right=%any<br>        leftsubnet=<a href="http://192.168.0.0/22,192.168.12.0/22,192.168.21.0/24">192.168.0.0/22,192.168.12.0/22,192.168.21.0/24</a><br>        rightsourceip=<a href="http://10.254.236.2/22">10.254.236.2/22</a><br>        rightdns=192.168.0.2,192.168.12.2,192.168.21.2<br>        ikelifetime=86400s<br>        lifetime=43200s<br>        rekey=no<br>        reauth=no<br>        dpddelay=40<br>        dpdtimeout=120<br>        dpdaction=clear<br>        modeconfig=pull<br>        ike=aes256-sha1-modp1024!<br>        esp=aes256-sha1!<br>        keyexchange=ikev2<br>        leftauth=pubkey<br>        rightauth=eap-radius<br>        eap_identity=%any<br>        leftsendcert=always<br>        rightsendcert=never<br>        leftid=<a href="http://vpn.domain.org">vpn.domain.org</a><br>        rightid=%any<br>        leftcert=vpnserverCert.pem<br>        auto=add<br><br><br>Or for FULL-Tunnel<br>-------------------<br><br><br>conn WindowsAndroidOtherClients_wEAP<br>        left=<your-public-internet-ipaddr-here><br>        right=%any<br>        leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>        rightsourceip=<a href="http://10.254.236.2/22">10.254.236.2/22</a><br>        rightdns=192.168.0.2,192.168.12.2,192.168.21.2<br>        ikelifetime=86400s<br>        lifetime=43200s<br>        rekey=no<br>        reauth=no<br>        dpddelay=40<br>        dpdtimeout=120<br>        dpdaction=clear<br>        modeconfig=pull<br>        ike=aes256-sha1-modp1024!<br>        esp=aes256-sha1!<br>        keyexchange=ikev2<br>        leftauth=pubkey<br>        rightauth=eap-radius<br>        eap_identity=%any<br>        leftsendcert=always<br>        rightsendcert=never<br>        leftid=<a href="http://vpn.domain.org">vpn.domain.org</a><br>        rightid=%any<br>        leftcert=vpnserverCert.pem<br>        auto=add        <br><br></div><div>The above is a working config that i use for both windows-native-ikev2 and android clients</div><div><br></div><div>thanks & regards</div><div>Rajiv</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 20, 2021 at 4:42 PM Gregory Edigarov <<a href="mailto:edigarov@qarea.com">edigarov@qarea.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Everybody.<br>
<br>
here's my strongswan setup:<br>
conn vpn-default<br>
    auto=add<br>
    compress=no<br>
    type=tunnel<br>
    keyexchange=ikev2<br>
    ike=aes256-sha1-modp1024 <br>
    esp=aes256-sha1<br>
    fragmentation=yes<br>
    forceencaps=yes<br>
    dpdaction=clear<br>
    dpddelay=300s<br>
    rekey=no<br>
    left=%any<br>
    leftid=@<a href="http://vpn.domain.org" rel="noreferrer" target="_blank">vpn.domain.org</a><br>
    leftauth=pubkey<br>
    leftcert=certificate.pem<br>
    leftsendcert=always<br>
    #leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
    leftsubnet=<a href="http://192.168.0.0/22,192.168.12.0/22,192.168.21.0/24" rel="noreferrer" target="_blank">192.168.0.0/22,192.168.12.0/22,192.168.21.0/24</a><br>
    leftfirewall=yes<br>
    leftsourceip=%config<br>
    right=%any<br>
    rightid=%any<br>
    rightauth=eap-radius<br>
    rightsourceip=<a href="http://10.254.236.2/22" rel="noreferrer" target="_blank">10.254.236.2/22</a><br>
    rightdns=192.168.0.2,192.168.12.2,192.168.21.2<br>
    rightsendcert=never<br>
    eap_identity=%identity<br>
<br>
the server uses letsencrypt certificates, stored as:<br>
<br>
   270517      4 -rw-r--r--   1 root     root         3750 Nov 18 18:54<br>
   /etc/ipsec.d/cacerts/ca.pem 270515      4 -rw-r--r--   1 root<br>
   root         1838 Nov 18 18:54 /etc/ipsec.d/certs/certificate.pem<br>
   270520      4 -rw-r--r--   1 root     root         1704 Nov 18 18:55<br>
   /etc/ipsec.d/private/key.pem<br>
<br>
which is valid:<br>
        Issuer: C = US, O = Let's Encrypt, CN = R3<br>
        Validity<br>
            Not Before: Nov 18 14:19:34 2021 GMT<br>
            Not After : Feb 16 14:19:33 2022 GMT<br>
        Subject: CN = <a href="http://vpn.domain.org" rel="noreferrer" target="_blank">vpn.domain.org</a><br>
<br>
with this config I can connect from Windows 10, from ubuntu<br>
via strongswan-starter (ipsec.conf) but not from Network Manager, <br>
from iphone (seems to be ok), but not from android standard vpn client.<br>
i.e.:<br>
Windows 10 - ok<br>
ubuntu (strongswan-starter) - ok<br>
android (strongswan for android) - ok<br>
ubuntu (network manager) - don't work<br>
android (standard client) - don't work (even though I've imported CA<br>
certificate) <br>
<br>
what am I missing for systems that don't work?<br>
<br>
--<br>
With best regards,<br>
     Gregory Edigarov<br>
</blockquote></div></div>