I apologise for another query regarding Strongswan. I have created Strongswan server that has on one side multiple networks and on the second side are clients that are authorised via FreeRADIUS EAP-MSCHAPv2. Clients have access rights to specific IP addresses in networks via Class attributes and appropriate connection definitions in ipsec.conf:
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn tunnel
reauth=no
rightsendcert=never
left=87.236.194.XX
leftsubnet=192.168.80.0/24
right=%any
rightsubnet=0.0.0.0/0
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=route
type=tunnel
conn eap-radius
reauth=no
rekey=no
forceencaps=yes
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftcert=host-vpn.der
leftsendcert=always
leftfirewall=yes
leftsubnet=0.0.0.0/0
leftid=@ikev2.domain.cz
lefthostaccess=yes
right=%any
rightsourceip=192.168.80.0/24
rightdns=8.8.8.8
rightauth=eap-radius
rightgroups=Class1
eap_identity=%identity
auto=add
conn eap-radius10
reauth=no
rekey=no
forceencaps=yes
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftcert=host-vpn.der
leftsendcert=always
leftfirewall=yes
leftsubnet=192.168.10.2/31,192.168.10.4/30,192.168.10.8/29,192.168.10.16/28,192.168.10.32/27,192.168.10.64/26,192.168.10.128/26,192.168.10.192/27,192.168.10.224/28,192.168.10.240/29,192.168.10.248/30,192.168.10.252/31,192.168.10.254/32
leftid=@ikev2.domain.cz
lefthostaccess=yes
right=%any
rightsourceip=192.168.80.0/24
rightdns=8.8.8.8
rightauth=eap-radius
rightgroups=Class10
eap_identity=%identity
auto=add
conn eap-radius20
reauth=no
rekey=no
forceencaps=yes
fragmentation=yes
left=%defaultroute
leftauth=pubkey
leftcert=host-vpn.der
leftsendcert=always
leftfirewall=yes
leftsubnet=192.168.20.2/31,192.168.20.4/30,192.168.20.8/29,192.168.20.16/28,192.168.20.32/27,192.168.20.64/26,192.168.20.128/26,192.168.20.192/27,192.168.20.224/28,192.168.20.240/29,192.168.20.248/30,192.168.20.252/31,192.168.20.254/32
leftid=@ikev2.domain.cz
lefthostaccess=yes
right=%any
rightsourceip=192.168.80.0/24
rightdns=8.8.8.8
rightauth=eap-radius
rightgroups=Class20
eap_identity=%identity
auto=add
In Debian firewall I have lines:
-A POSTROUTING -s 192.168.80.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.80.0/24 -o eth0 -j MASQUERADE
My problem is that all Android, iOS and Mac OSX clients except Windows 10 ones have access to appropriate specific addresses and also to Internet. Because the VPN connection wizard in past versions of Windows 10 due some Microsoft's bugs in this wizard is not able to create the EAP-MSCHAPv2 IKEv2 VPN connection properly I have copied following rasphone.pbk to the C:\Users\XXXX\AppData\Roaming\Microsoft\Network\Connections\Pbk windows folder
[radius]
Encoding=1
PBVersion=4
Type=2
AutoLogon=0
UseRasCredentials=1
LowDateTime=-1192997568
HighDateTime=30663332
DialParamsUID=191937
Guid=2F7BD8C93E1B8E4885FD6AB316030199
VpnStrategy=7
ExcludedProtocols=0
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipDoubleDialDialog=0
DialMode=0
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=0
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN2-0
PreferredDevice=WAN Miniport (IKEv2)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=0
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=0
ShowMonitorIconInTaskBar=0
CustomAuthKey=26
CustomAuthData=314442431A00000008000000010000000000000000000000
AuthRestrictions=128
IpPrioritizeRemote=1
IpInterfaceMetric=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=2
IpSecFlags=0
IpDnsSuffix=
Ipv6Assign=1
Ipv6Address=::
Ipv6PrefixLength=0
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6Prefix=0000000000000000
Ipv6InterfaceId=0000000000000000
DisableClassBasedDefaultRoute=0
DisableMobility=0
NetworkOutageTime=0
ProvisionType=0
PreSharedKey=
CacheCredentials=1
NumCustomPolicy=0
NumEku=0
UseMachineRootCert=0
NumServers=0
RouteVersion=1
NumRoutes=0
NumNrptRules=0
AutoTiggerCapable=0
NumAppIds=0
NumClassicAppIds=0
SecurityDescriptor=
ApnInfoProviderId=
ApnInfoUsername=
ApnInfoPassword=
ApnInfoAccessPoint=
ApnInfoAuthentication=1
ApnInfoCompression=0
DeviceComplianceEnabled=0
DeviceComplianceSsoEnabled=0
DeviceComplianceSsoEku=
DeviceComplianceSsoIssuer=
FlagsSet=0
Options=0
DisableDefaultDnsSuffixes=0
NumTrustedNetworks=0
NumDnsSearchSuffixes=0
PowershellCreatedProfile=0
ProxyFlags=0
ProxySettingsModified=0
ProvisioningAuthority=
AuthTypeOTP=0
GREKeyDefined=0
NumPerAppTrafficFilters=0
AlwaysOnCapable=0
PrivateNetwork=0
NETCOMPONENTS=
ms_msclient=1
ms_server=1
MEDIA=rastapi
Port=VPN2-0
Device=WAN Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=ikev2.domain.cz
AreaCode=
CountryCode=0
CountryID=0
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
Such Windows VPN client is able to connect properly to the appropriate IPs in remote networks but has no access to internet with one exception – internet access works when is via RADIUS selected connection definition with leftsubnet=0.0.0.0/0. When the Use default gateway on remote network option in the Advanced TCP/IP settings of the VPN connection is enabled (IpPrioritizeRemote=1) client has access to remote networks but not to internet and if this option is disabled the client has access to internet but not to any of remote networks.
I am not experienced in routing but I suppose it should be possible to configure the windows VPN connection to behave just like the Android, iOS and OSX connections that are working properly and have except access to specific IP addresses also access to internet.
For any help thank you in advance
Best Answer
ecdsa thank you for point me the right direction. The solution was finally quite simple. From PowerShell as administrator I created the new connection:
and then I added routes:
Now windows clients are working like a charm and they have access to the appropriate IPs and internet too.