Hi Try configuring your vpn-server as below:
For Split-Tunnel: --------------------- conn WindowsAndroidOtherClients_wEAP left=<your-public-internet-ipaddr-here> right=%any leftsubnet=192.168.0.0/22,192.168.12.0/22,192.168.21.0/24 rightsourceip=10.254.236.2/22 rightdns=192.168.0.2,192.168.12.2,192.168.21.2 ikelifetime=86400s lifetime=43200s rekey=no reauth=no dpddelay=40 dpdtimeout=120 dpdaction=clear modeconfig=pull ike=aes256-sha1-modp1024! esp=aes256-sha1! keyexchange=ikev2 leftauth=pubkey rightauth=eap-radius eap_identity=%any leftsendcert=always rightsendcert=never leftid=vpn.domain.org rightid=%any leftcert=vpnserverCert.pem auto=add Or for FULL-Tunnel ------------------- conn WindowsAndroidOtherClients_wEAP left=<your-public-internet-ipaddr-here> right=%any leftsubnet=0.0.0.0/0 rightsourceip=10.254.236.2/22 rightdns=192.168.0.2,192.168.12.2,192.168.21.2 ikelifetime=86400s lifetime=43200s rekey=no reauth=no dpddelay=40 dpdtimeout=120 dpdaction=clear modeconfig=pull ike=aes256-sha1-modp1024! esp=aes256-sha1! keyexchange=ikev2 leftauth=pubkey rightauth=eap-radius eap_identity=%any leftsendcert=always rightsendcert=never leftid=vpn.domain.org rightid=%any leftcert=vpnserverCert.pem auto=add The above is a working config that i use for both windows-native-ikev2 and android clients thanks & regards Rajiv On Mon, Dec 20, 2021 at 4:42 PM Gregory Edigarov <ediga...@qarea.com> wrote: > Hello Everybody. > > here's my strongswan setup: > conn vpn-default > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > ike=aes256-sha1-modp1024 > esp=aes256-sha1 > fragmentation=yes > forceencaps=yes > dpdaction=clear > dpddelay=300s > rekey=no > left=%any > leftid=@vpn.domain.org > leftauth=pubkey > leftcert=certificate.pem > leftsendcert=always > #leftsubnet=0.0.0.0/0 > leftsubnet=192.168.0.0/22,192.168.12.0/22,192.168.21.0/24 > leftfirewall=yes > leftsourceip=%config > right=%any > rightid=%any > rightauth=eap-radius > rightsourceip=10.254.236.2/22 > rightdns=192.168.0.2,192.168.12.2,192.168.21.2 > rightsendcert=never > eap_identity=%identity > > the server uses letsencrypt certificates, stored as: > > 270517 4 -rw-r--r-- 1 root root 3750 Nov 18 18:54 > /etc/ipsec.d/cacerts/ca.pem 270515 4 -rw-r--r-- 1 root > root 1838 Nov 18 18:54 /etc/ipsec.d/certs/certificate.pem > 270520 4 -rw-r--r-- 1 root root 1704 Nov 18 18:55 > /etc/ipsec.d/private/key.pem > > which is valid: > Issuer: C = US, O = Let's Encrypt, CN = R3 > Validity > Not Before: Nov 18 14:19:34 2021 GMT > Not After : Feb 16 14:19:33 2022 GMT > Subject: CN = vpn.domain.org > > with this config I can connect from Windows 10, from ubuntu > via strongswan-starter (ipsec.conf) but not from Network Manager, > from iphone (seems to be ok), but not from android standard vpn client. > i.e.: > Windows 10 - ok > ubuntu (strongswan-starter) - ok > android (strongswan for android) - ok > ubuntu (network manager) - don't work > android (standard client) - don't work (even though I've imported CA > certificate) > > what am I missing for systems that don't work? > > -- > With best regards, > Gregory Edigarov >