This is my ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn g-to-h
authby=secret
left=%defaultroute
leftid=<my_public_ip>
leftsubnet=10.254.248.0/24
right=<server_public_ip>
rightsubnet=10.0.0.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyexchange=ikev2
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
ipsec-interface=yes
This is my ipsec.secrets
<my_public_ip> <server_public_ip> : PSK "key_here"
<server_public_ip> <my_public_ip> : PSK "key_here"
This is my ipsec statusall
Connections:
g-to-h: %any...<server_public_ip> IKEv2, dpddelay=30s
g-to-h: local: [<my_public_ip>] uses pre-shared key authentication
g-to-h: remote: [<server_public_ip>] uses pre-shared key authentication
g-to-h: child: 10.254.248.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
g-to-h[1]: ESTABLISHED 11 minutes ago, <my_public_ip>[<my_public_ip>]...<server_public_ip>[<server_public_ip>]
g-to-h[1]: IKEv2 SPIs: 71c6934db0651bd3_i* eed311ab74ffa18c_r, pre-shared key reauthentication in 34 minutes
g-to-h[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
g-to-h{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c38c1905_i cce42a5c_o
g-to-h{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 23352 bytes_o (278 pkts, 381s ago), rekeying in 7 hours
g-to-h{1}: 10.254.248.0/24 === 10.0.0.0/24
/etc/config/firewall :
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq6 '0'
list network 'lan'
list network 'dlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option masq6 '0'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network '4G'
list masq_dest '!10.0.0.0/24'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-ISP-ISAKMP'
option src 'wan'
option src_port '500'
option dest_port '500'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src '*'
option dest_port '500 4500'
list proto 'all'
option name 'Allow-IPSec'
option enabled '1'
config forwarding
option src 'lan'
option dest 'wan'
My goal is to be able to ping the range 10.0.0.0/24 but right now nothing happens, any help would be appreciated.