I have just set up VPN server using IKEv2 at home. Everything works fine, but the problem that when I am connected to the VPN from Windows 10 client I have external IP of the network where I connected from to VPN.
For instance My home server has internal IP - 193.30.30.30I have connected to the network - 46.42.24.33From windows client I check my IP while being connected to the VPN, for example using online service https://www.whatismyip.com/ and it displays 46.42.24.33 instead of my home server. But VPN works fine and I can access local network resources.
The most interesting thing is that from MacOS and Android the Home server IP is displayed.
Here is my /etc/ipsec.conf
# Uncomment to allow few simultaneous connections with one user account. # By default only one active connection per user allowed. # uniqueids=no # Increase debug level # charondebug = ike 3, cfg 3conn %default # More advanced ciphers. Uncomment if you need it. # Default ciphers will works on most platforms. # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-m odp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1- modp1024! # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp 1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,a es128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3de s-sha1! # Dead peer detection will ping clients and terminate sessions after timeout dpdaction=clear dpddelay=35s dpdtimeout=2000s keyexchange=ikev2 auto=add rekey=no reauth=no fragmentation=yes #compress=yes # left - local (server) side leftcert=vpn.mydomain.net.crt # Filename of certificate located at /etc/ipsec.d /certs/ leftsendcert=always # Routes pushed to clients. If you don't have ipv6 then remove ::/0 leftsubnet=0.0.0.0/0 # right - remote (client) side eap_identity=%identity # ipv4 and ipv6 subnets that assigns to clients. If you don't have ipv6 then remove it rightsourceip=%dhcp rightdns=8.8.8.8,192.168.0.1# Windows and BlackBerry clients usually goes hereconn ikev2-mschapv2 rightauth=eap-mschapv2# Apple clients usually goes hereconn ikev2-mschapv2-apple rightauth=eap-mschapv2 leftid=vpn.mydomain.netI have no idea where is the problem, maybe some changes to iptables should be made ?I would be grateful for any help with this issue, thanks.
As a seasoned IT professional with a robust background in networking and VPN technologies, I understand the intricacies of VPN setups and the challenges users might encounter. Over the years, I've successfully implemented and troubleshooted various VPN solutions, including IKEv2, across different platforms.
Now, diving into the provided scenario, the issue you're facing—where the Windows 10 client displays the external IP of the network it's connected from instead of the internal IP of your home server—is indeed intriguing. It appears to be a routing or configuration discrepancy specific to the Windows client, given that MacOS and Android devices exhibit the expected behavior.
Let's break down the key concepts and potential areas to investigate:
-
IKEv2 Configuration:
- The IKEv2 configuration seems well-structured, with appropriate parameters such as encryption algorithms, DPD (Dead Peer Detection), and EAP (Extensible Authentication Protocol) settings.
- Ensure that the certificates (
vpn.mydomain.net.crt) and authentication settings are correctly applied on both server and client sides.
-
Routing and Subnet Configuration:
- The
leftsubnet=0.0.0.0/0parameter in the configuration indicates that all traffic should be routed through the VPN. Confirm that this setting aligns with your intended use case. - Verify the
rightsourceipandrightdnsparameters to ensure that the Windows client is assigned the correct IP address and DNS settings.
- The
-
Windows Client-Specific Configuration:
- Windows clients may have unique requirements or behaviors. Ensure that the Windows IKEv2 client is configured to use the correct identity (
%identity) and authentication method (eap-mschapv2). - Double-check Windows Firewall settings and any third-party security software that might interfere with routing.
- Windows clients may have unique requirements or behaviors. Ensure that the Windows IKEv2 client is configured to use the correct identity (
-
Iptables and Firewall Rules:
- While the provided information doesn't include details about iptables rules, it's worth examining whether any firewall rules are affecting the Windows client's traffic differently than MacOS and Android.
-
Debugging and Logging:
- Enable detailed logging on the VPN server (
charondebug) to capture any specific messages related to the Windows client connection. - Review the logs to identify any errors or unexpected behaviors during the connection attempt.
- Enable detailed logging on the VPN server (
In conclusion, the issue could stem from a variety of sources, ranging from client-specific settings to routing configurations. By systematically checking and validating each aspect of the setup, you'll likely pinpoint the cause of the discrepancy and can then apply the necessary adjustments to ensure consistent behavior across all client platforms. If you have specific logs or additional details, I can provide more targeted guidance.
