0

I've configured my EdgeRouter-X for an IKEv2 VPN Tunnel using self signed certificates. I'm using this VPN to access my home network from my Android phone and my iPad. I can connect from both devices and establish the IKEv2 tunnel but only file access via SMB works. Both HTTP on port 5000 and HTTPS on port 5001 do not work! So I assume that the tunnel is working but something else in the configuration is missing. In the past I used an LT2P but Android removed the LT2P feature and I had to switch to IKEv2. On my iPad LT2P is still available and it works fine with HTTP/HTTPS. I am by no means an expert in VPN or IKEv2. I googled everything to find out how to create the certificates and set up the router. Apparently I missed something in the configuration.

Here's my IPsec configuration:

vpn {
ipsec {
    allow-access-to-local-interface disable
    auto-firewall-nat-exclude disable
    remote-access {
        authentication {
            local-users {
                username my_user_name {
                    password my_password
                }
            }
            mode local
        }
        client-ip-pool {
            subnet 172.16.30.128/28
        }
        compatibility-mode disable
        dhcp-interface eth0
        dns-servers {
            server-1 8.8.8.8
            server-2 8.8.4.4
        }
        esp-settings {
            proposal 1 {
                dh-group 16
                encryption aes256
                hash sha256
            }
            proposal 2 {
                dh-group 14
                encryption aes256
                hash sha256
            }
        }
        ike-settings {
            authentication {
                mode x509
                x509 {
                    ca-cert-file /config/auth/ca-cert.cer
                    local-id my_home.com
                    remote-id %any
                    remote-ca-cert-file /config/auth/ca-cert.cer
                    server-cert-file /config/auth/server-cert.pem
                    server-key-file /config/auth/server-key.pem
                    server-key-password my_server_key_password
                    server-key-type rsa
                }
            }
            fragmentation disable
            ike-lifetime 86400
            operating-mode ikev2-mobike
            proposal 1 {
                dh-group 16
                encryption aes256
                hash sha256
            }
            proposal 2 {
                dh-group 14
                encryption aes256
                hash sha256
            }
        }
        inactivity 28800
    }
}

And here is my road warrior NAT configuration:

nat {
    rule 5001 {
        description "exclude roadwarrior ipsec"
        destination {
            address 172.16.30.128/28
        }
        exclude
        log disable
        outbound-interface eth0
        protocol all
        type masquerade
    }
}

Any help or hints are highly appreciated!

0

You must log in to answer this question.

Browse other questions tagged .