Hello.
I got now a connection on Linux Mint with this configuration:
conn PP
keyexchange=ikev2
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
leftsourceip=%config4,%config6
leftsendcert=never
leftauth=eap-mschapv2
rightauth=pubkey
right=amsterdam.perfect-privacy.com
rightid=%any
rightca=/etc/ipsec.d/cacerts/perfect-privacy_ipsec_ca.crt
rightsubnet=0.0.0.0/0,::/0
rightsendcert=always
eap_identity="PPUsername"
type=tunnel
auto=add
The configuration unfortunately does not run on OpenWRT. So I copied some of this thread:
Now I have this configuration and I don't know if I can still optimize it.
/etc/ipsec.conf:
conn lan-passthrough
leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn PP
keyexchange=ikev2
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4,%config6
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
right=amsterdam.perfect-privacy.com
rightid=%any
rightsubnet=0.0.0.0/0,::/0
rightsendcert=always
eap_identity="PPUsername"
type=tunnel
auto=add
/etc/ipsec.user:
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
;;
esac
Why does the configuration work without a certificate? However, this configuration does not work with all websites. Maybe a DNS problem? The DNS servers of the VPN provider are not displayed, but they are displayed by the ISP.
How to use DNS servers from VPN provider with IKEv2 configuration?
Best regards
Bernd
Edit: The option leftdns=%config4,%config4
has no effect. DNS servers are still from ISP.
Is it possible to add these scripts?
When IKEv2 is activated, then this script will be executed:
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//domain/p
" | sort -u > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn"
/etc/init.d/dnsmasq restart
And when IKEv2 is disabled, then this script will be executed:
#!/bin/sh
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.auto"
/etc/init.d/dnsmasq restart
Would that work?