# [SOLVED] Strongswan Routing

## cdstealer

Hi All,  

I've been trying on and off for a few weeks to get an ipsec VPN setup so I can use my phone out there in that world.  I've read so many howtos/documentation etc etc that I've probably gotten myself into a confused mess.  Anyway, long story short, I have installed and configured strongswan and the phone connects without issue.  The only problem I have is that no successful traffic happens after that.  It feels like a firewall issue and any attempt to browse just sits waiting to connect.  To test this theory, I disabled both the modem/firewall and iptables with no change (turned back on straight away).  So I've probably missed something, but I don't know what.

Starting strongswan gets this:

```
Oct 30 12:52:04 hostname ipsec[10755]: Starting strongSwan 5.5.0 IPsec [starter]...

Oct 30 12:52:04 hostname ipsec_starter[10755]: Starting strongSwan 5.5.0 IPsec [starter]...

Oct 30 12:52:04 hostname charon[10764]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.8.5-gentoo, x86_64)

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'

Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded EAP secret for cdstealer

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loaded 0 RADIUS server configurations

Oct 30 12:52:04 hostname charon[10764]: 00[CFG] HA config misses local/remote address

Oct 30 12:52:04 hostname charon[10764]: 00[LIB] loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp unity

Oct 30 12:52:04 hostname charon[10764]: 00[JOB] spawning 16 worker threads

Oct 30 12:52:04 hostname ipsec[10755]: charon (10764) started after 60 ms

Oct 30 12:52:04 hostname ipsec_starter[10755]: charon (10764) started after 60 ms

Oct 30 12:52:04 hostname charon[10764]: 12[CFG] received stroke: add connection 'IPSec-Android'

Oct 30 12:52:04 hostname charon[10764]: 12[CFG] adding virtual IP address pool 10.10.11.200/24

Oct 30 12:52:04 hostname charon[10764]: 12[CFG]   loaded certificate "C=GB, O=strongSwan, CN=my.vpn.domain" from 'vpnHostCert.pem'

Oct 30 12:52:04 hostname charon[10764]: 12[CFG] added configuration 'IPSec-Android'
```

Everything looks OK to me.

Connecting gets this:

```
Oct 30 12:52:19 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (612 bytes)

Oct 30 12:52:19 hostname charon[10764]: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received NAT-T (RFC 3947) vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received XAuth vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received Cisco Unity vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received FRAGMENTATION vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received DPD vendor ID

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA

Oct 30 12:52:19 hostname charon[10764]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA

Oct 30 12:52:19 hostname charon[10764]: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]

Oct 30 12:52:19 hostname charon[10764]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (160 bytes)

Oct 30 12:52:19 hostname charon[10764]: 06[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (252 bytes)

Oct 30 12:52:19 hostname charon[10764]: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

Oct 30 12:52:19 hostname charon[10764]: 06[IKE] local host is behind NAT, sending keep alives

Oct 30 12:52:19 hostname charon[10764]: 06[IKE] remote host is behind NAT

Oct 30 12:52:19 hostname charon[10764]: 06[IKE] sending cert request for "C=GB, O=strongSwan, CN=strongSwan Root CA"

Oct 30 12:52:19 hostname charon[10764]: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

Oct 30 12:52:19 hostname charon[10764]: 06[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (338 bytes)

Oct 30 12:52:19 hostname charon[10764]: 08[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (1500 bytes)

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]

Oct 30 12:52:19 hostname charon[10764]: 08[IKE] ignoring certificate request without data

Oct 30 12:52:19 hostname charon[10764]: 08[IKE] received end entity cert "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname charon[10764]: 08[CFG] looking for XAuthInitRSA peer configs matching xxx.xxx.xxx.xxx...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]

Oct 30 12:52:19 hostname charon[10764]: 08[CFG] selected peer config "IPSec-Android"

Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   using certificate "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   using trusted ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA"

Oct 30 12:52:19 hostname charon[10764]: 08[CFG] checking certificate status of "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname charon[10764]: 08[CFG] certificate status is not available

Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   reached self-signed root ca with a path length of 0

Oct 30 12:52:19 hostname charon[10764]: 08[IKE] authentication of 'C=GB, O=strongSwan, CN=me@urmoms.com' with RSA_EMSA_PKCS1_NULL successful

Oct 30 12:52:19 hostname charon[10764]: 08[IKE] authentication of 'my.vpn.domain' (myself) successful

Oct 30 12:52:19 hostname charon[10764]: 08[IKE] sending end entity cert "C=GB, O=strongSwan, CN=my.vpn.domain"

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] splitting IKE message with length of 1452 bytes into 3 fragments

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(1) ]

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(2) ]

Oct 30 12:52:19 hostname ipsec[10755]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.8.5-gentoo, x86_64)

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded EAP secret for cdstealer

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loaded 0 RADIUS server configurations

Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] HA config misses local/remote address

Oct 30 12:52:19 hostname ipsec[10755]: 00[LIB] loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp unity

Oct 30 12:52:19 hostname ipsec[10755]: 00[JOB] spawning 16 worker threads

Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] received stroke: add connection 'IPSec-Android'

Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] adding virtual IP address pool 10.10.11.200/24

Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG]   loaded certificate "C=GB, O=strongSwan, CN=my.vpn.domain" from 'vpnHostCert.pem'

Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] added configuration 'IPSec-Android'

Oct 30 12:52:19 hostname ipsec[10755]: 11[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (612 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received NAT-T (RFC 3947) vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received XAuth vendor ID

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(3/3) ]

Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (544 bytes)

Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (544 bytes)

Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (472 bytes)

Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating TRANSACTION request 3541450630 [ HASH CPRQ(X_USER X_PWD) ]

Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received Cisco Unity vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received FRAGMENTATION vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received DPD vendor ID

Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA

Oct 30 12:52:19 hostname ipsec[10755]: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]

Oct 30 12:52:19 hostname ipsec[10755]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (160 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 06[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (252 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] local host is behind NAT, sending keep alives

Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] remote host is behind NAT

Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] sending cert request for "C=GB, O=strongSwan, CN=strongSwan Root CA"

Oct 30 12:52:19 hostname ipsec[10755]: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

Oct 30 12:52:19 hostname ipsec[10755]: 06[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (338 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 08[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (1500 bytes)

Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]

Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] ignoring certificate request without data

Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] received end entity cert "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] looking for XAuthInitRSA peer configs matching xxx.xxx.xxx.xxx...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] selected peer config "IPSec-Android"

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   using certificate "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   using trusted ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA"

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] checking certificate status of "C=GB, O=strongSwan, CN=me@urmoms.com"

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] certificate status is not available

Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   reached self-signed root ca with a path length of 0

Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] authentication of 'C=GB, O=strongSwan, CN=me@urmoms.com' with RSA_EMSA_PKCS1_NULL successful

Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] authentication of 'my.vpn.domain' (myself) successful

Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] sending end entity cert "C=GB, O=strongSwan, CN=my.vpn.domain"

Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]

Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] splitting IKE message with length of 1452 bytes into 3 fragments

Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ FRAG(1) ]

Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ FRAG(2) ]

Oct 30 12:52:20 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (124 bytes)

Oct 30 12:52:20 hostname charon[10764]: 11[ENC] parsed INFORMATIONAL_V1 request 3109798655 [ HASH N(INITIAL_CONTACT) ]

Oct 30 12:52:20 hostname charon[10764]: 14[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (124 bytes)

Oct 30 12:52:20 hostname charon[10764]: 14[ENC] parsed TRANSACTION response 3541450630 [ HASH CPRP(X_USER X_PWD) ]

Oct 30 12:52:20 hostname charon[10764]: 14[IKE] XAuth authentication of 'cdstealer' successful

Oct 30 12:52:20 hostname charon[10764]: 14[ENC] generating TRANSACTION request 3279408097 [ HASH CPS(X_STATUS) ]

Oct 30 12:52:20 hostname charon[10764]: 14[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)

Oct 30 12:52:20 hostname charon[10764]: 07[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (108 bytes)

Oct 30 12:52:20 hostname charon[10764]: 07[ENC] parsed TRANSACTION response 3279408097 [ HASH CPA(X_STATUS) ]

Oct 30 12:52:20 hostname charon[10764]: 07[IKE] IKE_SA IPSec-Android[1] established between xxx.xxx.xxx.xxx[my.vpn.domain]...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]

Oct 30 12:52:20 hostname charon[10764]: 07[IKE] IKE_SA IPSec-Android[1] established between xxx.xxx.xxx.xxx[my.vpn.domain]...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]

Oct 30 12:52:20 hostname charon[10764]: 07[IKE] scheduling reauthentication in 9730s

Oct 30 12:52:20 hostname charon[10764]: 07[IKE] maximum IKE_SA lifetime 10270s

Oct 30 12:52:20 hostname charon[10764]: 10[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (140 bytes)

Oct 30 12:52:20 hostname charon[10764]: 10[ENC] parsed TRANSACTION request 2322239353 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]

Oct 30 12:52:20 hostname charon[10764]: 10[IKE] peer requested virtual IP %any

Oct 30 12:52:20 hostname charon[10764]: 10[CFG] assigning new lease to 'cdstealer'

Oct 30 12:52:20 hostname charon[10764]: 10[IKE] assigning virtual IP 10.10.11.200 to peer 'cdstealer'

Oct 30 12:52:20 hostname charon[10764]: 10[ENC] generating TRANSACTION response 2322239353 [ HASH CPRP(ADDR) ]

Oct 30 12:52:20 hostname charon[10764]: 10[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)

Oct 30 12:52:20 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (476 bytes)

Oct 30 12:52:20 hostname charon[10764]: 11[ENC] parsed QUICK_MODE request 3136888957 [ HASH SA No ID ID ]

Oct 30 12:52:20 hostname charon[10764]: 11[IKE] received 28800s lifetime, configured 3600s

Oct 30 12:52:20 hostname charon[10764]: 11[ENC] generating QUICK_MODE response 3136888957 [ HASH SA No ID ID ]

Oct 30 12:52:20 hostname charon[10764]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (188 bytes)

Oct 30 12:52:21 hostname charon[10764]: 06[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (92 bytes)

Oct 30 12:52:21 hostname charon[10764]: 06[ENC] parsed QUICK_MODE request 3136888957 [ HASH ]

Oct 30 12:52:21 hostname charon[10764]: 06[IKE] CHILD_SA IPSec-Android{1} established with SPIs ced0dc81_i 058ff1c1_o and TS 0.0.0.0/0 === 10.10.11.200/32

Oct 30 12:52:21 hostname charon[10764]: 06[IKE] CHILD_SA IPSec-Android{1} established with SPIs ced0dc81_i 058ff1c1_o and TS 0.0.0.0/0 === 10.10.11.200/32
```

Strongswan adds these 2 lines to iptables:

```
Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  10.10.11.200         0.0.0.0/0            policy match dir in pol ipsec reqid 1 proto 50

ACCEPT     all  --  0.0.0.0/0            10.10.11.200         policy match dir out pol ipsec reqid 1 proto 50
```

This is my ipsec.conf:

```
config setup

        uniqueids=never

        #charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default

        keyexchange=ike

        dpdaction=restart

        dpddelay=300s

        reauth=yes

        aggressive=no

        fragmentation=yes

        type=tunnel

        forceencaps=yes

        rightauth=pubkey

        rightauth2=xauth

        modeconfig=pull

        auto=add

        closeaction=clear

        compress=no

conn IPSec-Android

        left=my.vpn.domain

        leftsubnet=0.0.0.0/0

        leftcert=vpnHostCert.pem

        leftsendcert=always

        leftfirewall=yes

        right=%any

        rightid=%any

        rightsubnet=10.10.11.0/24

        rightsourceip=10.10.11.200/24

        rightsendcert=ifasked
```

Thanks muchly and please forgive my potential stupidity :\  If you need any further info, please don't hesitate to ask.

----------

## cdstealer

Yay.. after a couple of weeks dicking about. I think I've done it  :Smile: 

I've sparsely documented my setup https://cdblog.cdstealer.com/?p=1231

I'm still working on it, but the main guts of it are there.  It's mainly a braindump for me, but if anyone finds it useful, then I'm happy.

Thanks

CD

----------

