Then you have to restrict your transport mode configuration to your local subnet using remote_addrs = theSubnet/CIDR
On 26.03.2018 02:39, Info wrote: > > On 03/25/2018 04:02 PM, Noel Kuntze wrote: >> Just use two conn definitions. One for your LAN and one for the initiators >> on the Internet. > > I tried to, but got the error shown. The Android app won't connect, and the > responder's log says a VIP is required. The error isn't direct, but a search > shows you in an earlier listserv recommending that solution for my exact > error. > > And when I add a local VIP, it goes instead to the remote phone. And any > ping from the phone to responder, instead goes out the through the public IP. > > This is using swanctl, certs, no SELinux, and open firewall. The IPSec > gateway is inside the LAN and reached by DNAT in and SNAT out.
signature.asc
Description: OpenPGP digital signature
