IKEV2 configuration file IP pool

Question

I have some problems with configuring VPN using IKEV2. Here is my server configuration file

config setup

    #  Uncomment to allow few simultaneous connections with one user account.
    #  By default only one active connection per user allowed.
    # uniqueids=no

    # Increase debug level
    # charondebug = ike 3, cfg 3

conn %default

    # More advanced ciphers. Uncomment if you need it.
    # Default ciphers will works on most platforms.
    # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

    # Dead peer detection will ping clients and terminate sessions after timeout
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    #compress=yes

    # left - local (server) side
    leftcert=mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
    leftsendcert=always
    # Routes pushed to clients. If you don't have ipv6 then remove ::/0
    leftsubnet=0.0.0.0/0

    # right - remote (client) side
    eap_identity=%identity
    # ipv4 and ipv6 subnets that assigns to clients. If you don't have ipv6 then remove it
    rightsourceip=192.168.0.0/24
    rightdns=192.168.0.1,8.8.8.8

# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
    rightauth=eap-mschapv2

# Apple clients usually goes here
conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=mydomain.net

The problem is that I have specified rightsourceip=192.168.0.0/24 so each new client will get IP in this network, but of course I have already have computers in my local network.

And when I tries to connect to my VPN it connects, but the client gets 192.168.0.1 IP address which is routers IP.

Furthermore I have another devices and PCs in this network so client will get the existing IP problems will occur.

My routers acts as DHCP server and has IP of 192.168.0.1

I tried to search for proper IP pool configuration, but didn't find any information.

I am not sure if this is possible, but it would be great if I could route IP address lease to my router instead of leasing addresses by the VPN server (as far as I can guess, please correct me in case I wrong).

Please help me to solve this problem. Thanks.

Answer 1

You have several options, which are also described on strongSwan's Forwarding and Split-Tunneling wiki page:

1. Configure a different subnet for the virtual IPs (e.g. 192.168.100.0/24) and then either route the traffic properly (so the hosts in the server's LAN don't send packets addressed to that subnet to their default gateway but to the VPN server) or NAT the clients' traffic to the server's own IP address (so it seems to the other hosts that the traffic originated from the VPN server and they can easily respond to it).
2. Assign addresses from a subnet of 192.168.0.0/24 that you reserve for this and don't use for other hosts on the server's LAN (e.g. 192.168.0.192/26, if that's large enough and outside the DHCP range and not used for statically assigned addresses).
3. Use the dhcp plugin to request virtual IPs out of 192.168.0.0/24 for your clients from the existing DHCP server.

The latter two options require the use of the farp plugin as you are assigning IPs from the same subnet the hosts on the server-side are attached to.