Help configuring IPsec IKEv2 remote access

General questions
, ,
1

Hi,

I am trying to configure IPsec remote access (road warrior), but so far I am unable to.

Configuration details and commands I used:

Public address: some-domain.net (resolved to 100.abc.abc.abc)
LAN: 10.10.10.0/24
Subnet assigned to VPN clients: 172.16.0.0/29

set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall

set pki ca Root-CA certificate 'MIIC...'
set pki ca Signing-CA certificate 'MIIC...'

set pki certificate some-domain.net certificate 'MIIC...'
set pki certificate some-domain.net private key 'NIdD...'

set vpn ipsec esp-group ESP-RA lifetime '3600'
set vpn ipsec esp-group ESP-RA pfs 'disable'
set vpn ipsec esp-group ESP-RA proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-RA proposal 1 hash 'sha256'

set vpn ipsec ike-group IKE-RA key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RA lifetime '7200'
set vpn ipsec ike-group IKE-RA proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-RA proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-RA proposal 1 hash 'sha256'

set vpn ipsec remote-access connection RA authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection RA authentication local-id 'some-domain.net'
set vpn ipsec remote-access connection RA authentication local-users username rhinok239 password '286755fad04869ca523320acce0dc6a4'
set vpn ipsec remote-access connection RA authentication server-mode 'x509'
set vpn ipsec remote-access connection RA authentication x509 ca-certificate 'Root-CA'
set vpn ipsec remote-access connection RA authentication x509 certificate 'some-domain.net'
set vpn ipsec remote-access connection RA esp-group 'ESP-RA'
set vpn ipsec remote-access connection RA ike-group 'IKE-RA'
set vpn ipsec remote-access connection RA local prefix '172.16.0.0/29'
set vpn ipsec remote-access connection RA local-address '100.abc.abc.abc'
set vpn ipsec remote-access connection RA pool 'RA-POOL'

set vpn ipsec remote-access pool RA-POOL name-server '10.10.10.3'
set vpn ipsec remote-access pool RA-POOL prefix '172.16.0.0/29'

On the firewall I have rules to allow IPsec (I have also IPsec site-to-site running just fine).

On the client I can connect to VPN, but I cannot access anything and while a client is connected trying to list connection details shows nothing:

show vpn ipsec remote-access detail
No active connections found, aborting

Anyone know what I’m missing?

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.