hi !
i want to setup my ipfire that my mobile is able to connect to ipfire via ipsec.
hopefully my common setup is ok
(only the question do i have in global section setup an existing subnet on ipfire or do i have to choose a new one ?)
I created also a cert for the client, but on my mobile when i try to import it , i will be asked for the password but it tells me “wrong password” but password is definitely right…
I followed to setup the wiki…
Ciao Gerd
Hi,
To quote from the documentation:
Host-to-Net Virtual Private Network (RoadWarrior) defines a new subnet, using CIDR notation, which will be used to assign IP addresses to clients.
Therefore, this must not be an existing network, but a new one not already being in use.
Please provide further information on your client. What operating system is it running? What IPsec/VPN application are you using?
Thanks, and best regards,
Peter Müller
Hi Peter !
the client is a Samsung S21 with Android 11…
Meanwhile i figured (out correct me if im wrong) i use the “new” net for new clients. So first client will get XXY.YYY.ZZZ.1
meanwhile at least i get a connect with PSK and in ipfire routinge table i cant see this ip at all.
I guess i use this IP and ipfire does src-nat ?? but how can i manage it to get an ip e.g. within the green network ?
Ciao Gerd
Hi,
hm. Not having used this myself, I regret to say that I won’t be able to help you. Perhaps IPsec for this is documented somewhere - I am pretty sure more people have the need of establishing an IPsec connection… 
To my knowledge, yes.
The latter is intentional, since a dedicated route to this network is not necessary. This is different in OpenVPN, where everything related happens on a distinct virtual interface, so you will see new routes showing up there.
Can you ping through the IPsec tunnel in both ways?
You cannot. Roadwarriors will always get an IP address in a distinct subnet, but you can create firewall rules for allowing traffic into your GREEN network.
Thanks, and best regards,
Peter Müller
Hi !
i cannot ping both ways only from client to network , services seems to work. so traffic ffom green network is running
BTW: e.g. a Fritzbox give the client a IP in the network…
Ciao Gerd
Ok i tried to setup Ipsec/l2tp on a host inside the network…
i can connect inside but not from outside. On Ipfire i forwared UDP Ports 500 and 1701 to the host… did i miss any other setting to fullfill requrements ?
Ciao Gerd
Hi ! Meanwhile im a little more far… 
my IPSec NW is 192.168.66.0/24
itemporary i route all thigs through tunnel… but when vpn connection is active…
ip of the phone is 192.168.66.2 … i can ping from both sides and use services via IP from my green net
But… i have no DNS at all at my phone… not regular neither local…
DNS for connection is set to ip of ipfire , i also tried to set it on local connection setting but no success.
also i tried it like here
Ciao Gerd