1

I have just set up VPN server using IKEv2 at home. Everything works fine, but the problem that when I am connected to the VPN from Windows 10 client I have external IP of the network where I connected from to VPN.

For instance My home server has internal IP - 193.30.30.30 I have connected to the network - 46.42.24.33 From windows client I check my IP while being connected to the VPN, for example using online service https://www.whatismyip.com/ and it displays 46.42.24.33 instead of my home server. But VPN works fine and I can access local network resources.

The most interesting thing is that from MacOS and Android the Home server IP is displayed.

Here is my /etc/ipsec.conf 

    #  Uncomment to allow few simultaneous connections with one user account.
    #  By default only one active connection per user allowed.
    # uniqueids=no

    # Increase debug level
    # charondebug = ike 3, cfg 3

conn %default

    # More advanced ciphers. Uncomment if you need it.
    # Default ciphers will works on most platforms.
    # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-m                                                                                        odp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-                                                                                        modp1024!
    # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp                                                                                        1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,a                                                                                        es128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3de                                                                                        s-sha1!

    # Dead peer detection will ping clients and terminate sessions after timeout
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    #compress=yes

    # left - local (server) side
    leftcert=vpn.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d                                                                                        /certs/
    leftsendcert=always
    # Routes pushed to clients. If you don't have ipv6 then remove ::/0
    leftsubnet=0.0.0.0/0

    # right - remote (client) side
    eap_identity=%identity
    # ipv4 and ipv6 subnets that assigns to clients. If you don't have ipv6 then                                                                                         remove it
    rightsourceip=%dhcp
    rightdns=8.8.8.8,192.168.0.1

# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
    rightauth=eap-mschapv2

# Apple clients usually goes here
conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=vpn.mydomain.net

I have no idea where is the problem, maybe some changes to iptables should be made ? I would be grateful for any help with this issue, thanks.

frvzuaex
  • 55
  • 1
  • 6

2 Answers2

1

Have you checked that windows is using the Remote Gateway for all non-local traffic

In network and sharing center (or whatever its now called), in the display in

[VPN Name] properties / Networking / IPv4 settings / Advanced

is

Use default gateway on remote network

ticked?

tobyd
  • 471
  • 1
  • 3
  • 12
  • Thanks for answer, I have really forgotten about this tick, cause not used windows for a long time. So that means that packet that are not internal (IP address of internal network) it decides whether to send this packet to default gateway in VPN network or just send behind VPN ? Am I right ? – frvzuaex Oct 19 '16 at 17:23
  • 1
    Yep, exactly. If you only needed, say, access to a file share on the VPN network then you'd likely get better performance for general internet traffic by using your local gateway (unticked option) than tunnel all your non-local traffic over the VPN. – tobyd Oct 20 '16 at 09:16
1

A route-based VPN requires an Accept security policy for each direction. As source and destination interfaces, you specify the interface to the private network and the virtual IPsec interface (Phase 1 configuration) of the VPN. The IPsec interface is the destination interface for the outbound policy and the source interface for the inbound policy. One security policy must be configured for each direction of each VPN interface.

Paapi Choloo
  • 11
  • 1
  • Thanks for answer, could you please give more information to read about this ? Maybe some article ? – frvzuaex Oct 19 '16 at 17:14