As was previously mentioned, you need to set leftsubnet=0.0.0.0/0 to have access to any other IP but your local one.
On 29.09.2017 14:56, Aleksey Kravchenko wrote: > On Windows client i will add static route and Set-VpnConnection -Name "VPN" > -SplitTunneling 1 -AllUserConnection. All works fine. > > My server configuration file: > > config setup > > uniqueids = no > > conn %default > > esp = aes-aes256-sha-modp1024,aes256-sha512-modp4096 > > ike = aes-aes256-sha-modp1024,aes256-sha512-modp4096 > > > > dpdaction = clear > > dpddelay = 35s > > dpdtimeout = 2000s > > fragmentation = yes > > rekey = no > > > > left = %any > > leftfirewall = yes > > leftcert = fullchain.pem > > leftsendcert = always > > > > right = %any > > rightsourceip = 192.168.103.0/24 <http://192.168.103.0/24> > > rightdns = 8.8.8.8,8.8.4.4 > > eap_identity = %any > > > > conn IPSec-IKEv2 > > keyexchange = ikev2 > > auto = add > > > > conn IPSec-IKEv2-EAP > > also = "IPSec-IKEv2" > > rightauth = eap-radius > > leftid = DOMAIN.LTD (on my second white IP) > > auto = add > > leftsubnet=IP/32 > > > > conn IKEv2-MSCHAPv2-Apple > > also = "IPSec-IKEv2" > > ike = aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024! > > esp = aes256-sha256,3des-sha1,aes256-sha1! > > rightauth=eap-radius > > leftid = DOMAIN.LTD > > leftsubnet=IP/32 > > > > > 2017-09-29 13:38 GMT+03:00 Noel Kuntze > <[email protected] > <mailto:[email protected]>>: > > If I could aware a star for disinformation, this one would get it. > > 1) The article about interoperability with Windows explains how to get > routes working for crappy Windows clients. > 2) As Anvar explained, leftsubnet sets the local traffic selector, which > defines which destinations are allowed by the IPsec policies. Set > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>. > 3) You can not only allow certain protocols through the tunnel without > blackholing all other protocols, if the sender uses route basec IPsec. > 4) You likely use libipsec. Stop doing that, it sucks. It is likely the > cause of Android and other clients working, but not Windows with your wrong > configuration, if you tested Android and other clients with > leftsubnet=[IP]/32. > > Kind regards > > Noel > > On 29.09.2017 12:23, Anvar Kuchkartaev wrote: > > I don't think the windows is able to obtain routes from IKE vpn > server. Windows must be using 0.0.0.0/0 <http://0.0.0.0/0> route to your VPN > server and sending all traffic to it but if you configured left=[IP]/32 from > VPN server side then all other traffic than that IP not authorised to pass > through tunnel. I don't know how to configure VPN routes in windows and I > would rather recommended to configure router standing between windows and > internet and share the tunnel of router with other devices connected to it. > > > > Anvar Kuchkartaev > > [email protected] <mailto:[email protected]> > > *From: *Aleksey Kravchenko > > *Sent: *viernes, 29 de septiembre de 2017 12:08 p.m. > > *To: *Noel Kuntze; [email protected] > <mailto:[email protected]> > > *Subject: *Re: [strongSwan] Strongswan. Address definition/Routing. > > > > > > Hello again! I need your help. > > > > The problem is that the traffic through VPN is sent only when accessing > one specific IP. I pointed this IP to leftsubnet = IP / 32 and everything > works well for linux, macos, android, ios. But Windows in this case does not > see the Internet and only the address specified in leftsubnet is available to > it. > > > > And is it still possible to specify specific ports? For example, you > can only take http and https through VPN. The protoport option did not help. > > Thank you in advance! > > > > 2017-09-25 16:10 GMT+03:00 Aleksey Kravchenko <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>: > > > > Good. > > Thank you, Noel. > > > > 2017-09-25 16:08 GMT+03:00 Noel Kuntze > <[email protected] > <mailto:[email protected] > <mailto:noel.kuntze%[email protected]>>>: > > > > Hi, > > > > No. As I previously wrote, this is a system intrinsic problem. > > > > Kind regards > > > > Noel > > > > On 25.09.2017 15:03, Aleksey Kravchenko wrote: > > > Hello. I managed to solve the problem with routes on windows > and macos. For this purpose, a second white IP was used. > > > p.s. Are there any ways or tricks to solve this problem with > the same IP address? > > > > > > 2017-09-14 11:03 GMT+03:00 Aleksey Kravchenko > <[email protected] <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>: > > > > > > Hello, Noel. Thanks for the answer. Unfortunately, there > is no way to bypass.As a solution we can use the second white IP for > Strongswan, and the web server on the 1st IP. > > > > > > 2017-09-13 22:17 GMT+03:00 Noel Kuntze > <[email protected] > <mailto:[email protected] > <mailto:noel.kuntze%[email protected]> > <mailto:noel.kuntze%[email protected] > <mailto:noel.kuntze%[email protected]>>>>: > > > > > > Hi, > > > > > > That is because Windows and MacOS implement crappy > route based IPsec which conceptually can not protect traffic to the IKE peer's > > > address (unless policy based routing is used, which > neither Windows nor MacOS implement). > > > > > > Kind regards > > > > > > Noel > > > > > > On 13.09.2017 17:14, Aleksey Kravchenko wrote: > > > > Hello.I need your advice. > > > > The work of Strongswan + IKEv2 is configured. > Everything works fine (on iOS, macOS, windows, linux), but I noticed strange > behavior in VPN's work. There is a server on which Strongswan and Nginx are > installed.When you connect to the VPN and go to the site which is located in > the same place as the strongswan daemon, the nginx log shows different > addresses for connections. For instance:android / linux -> login from the > address issued by the VPN (for example, 192.168.1.2). > > > > windows / macos -> login from the usual address > (provider address). > > > > But if you go to the IP detection server, the > result for all devices is the same: you logged in from the VPN server.Maybe > you have any thoughts about this? Thank you! > > > > > > > > > > > > > > > > > > >
signature.asc
Description: OpenPGP digital signature
