That takes me one step further, thank you. The IPv4 address pool loads. The client authenticates okay. Then an error occurs, "installing route for policy 0.0.0.0/0 === 10.9.0.1/32 failed."
The intention in this scenario is that the client should connect to the entire Internet via the StrongSwan Windows server. StrongSwan version is 5.7.1, and Windows Server is version 2016. The file swanctl.conf looks like this: connections { ikev2-eap-mschapv2 { version = 2 proposals = aes256-sha256-modp2048,aes256-sha256-modp1536,aes128-sha1-modp1024,default rekey_time = 0s pools = primary_pool_ipv4 fragmentation = yes dpd_delay = 30s local { certs = server.crt id = [vpn.example.org](http://vpn.example.org/) } remote { auth = eap-mschapv2 eap_id = %any } children { ikev2-eap-mschapv2 { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear esp_proposals = aes256-sha256,aes256-sha1,aes128-sha1,default } } } } pools { primary_pool_ipv4 { addrs = 10.9.0.0/24 dns = 1.1.1.1, 1.0.0.1} } secrets { eap-xxxx { id = xxxx secret = "yyyyyyyy" } } Is that "local_ts = 0.0.0.0/0" not correct for this scenario? The StrongSwan Windows Server log looks like this: 03[NET] received packet: from 11.22.33.44[49972] to 55.66.77.88[4500] (112 bytes) 03[ENC] parsed IKE_AUTH request 5 [ AUTH ] 03[IKE] authentication of 'xxxx' with EAP successful 03[IKE] authentication of '[vpn.example.org](http://vpn.example.org/)' (myself) with EAP 03[IKE] IKE_SA ikev2-eap-mschapv2[4] established between 55.66.77.88[[vpn.example.org](http://vpn.example.org/)]...11.22.33.44[xxxx] 03[IKE] peer requested virtual IP %any 03[CFG] assigning new lease to 'xxxx' 03[IKE] assigning virtual IP 10.9.0.1 to peer 'xxxx' 03[IKE] peer requested virtual IP %any6 03[IKE] no virtual IP found for %any6 requested by 'xxxx' 03[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ 03[KNL] installing route for policy 0.0.0.0/0 === 10.9.0.1/32 failed 03[KNL] setting WFP SA SPI failed: 0x80320035 03[IKE] unable to install IPsec policies (SPD) in kernel 03[IKE] failed to establish CHILD_SA, keeping IKE_SA Sent with ProtonMail Secure Email. Sent from ProtonMail Mobile On Fri, Dec 21, 2018 at 2:31 AM, Tobias Brunner <tob...@strongswan.org> wrote: > Hi, > >> This produce an error INTERNAL_ADDRESS_FAILURE (identities anonymized): >> ... >> Do you know what I need to correct to prevent this error? > > Did you load the address pool with swanctl --load-pools? (Using > --load-all also works.) Check with --list-pools if the pool is loaded. > > Regards, > Tobias