Just tested with my iPhone. Working 
Will test iPad later.
Thanks a lot @jon
Edit:
iPad has a problem.
Any suggestions?
Itās not logical to me that same iOS behave differently.
Edit2:
Update to iOS 14.7.1 both iDevices (released today).
Now working on iPad. And still on iPhone 
With OpenVPN I can VPN from BLUE to GREEN by changing one line in the .ovpn file:
remote example.ddns.org 1194
-to-
remote 192.168.65.1 1194
I want to do something similar with IPsecā¦
Why? Because I want to test IPsec with other devices beside my iPhone. I donāt have any ofter devices that are āoutsideā my local network.
I tried change the Local ID from @example.ddns.org to @192.168.65.1. And that did not work.
Then I tried changing the host certificate SubjectAlternativeName from DNS:example2.ddns.org to IP:192.168.65.1. And that did not work.
Jul 30 15:27:01 ipfire charon: 08[NET] received packet: from 192.168.65.136[500] to <myInternetIP>[500] (424 bytes)
Jul 30 15:27:01 ipfire charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jul 30 15:27:01 ipfire charon: 08[IKE] 192.168.65.136 is initiating an IKE_SA
Jul 30 15:27:01 ipfire charon: 08[IKE] 192.168.65.136 is initiating an IKE_SA
Jul 30 15:27:01 ipfire charon: 08[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Jul 30 15:27:01 ipfire charon: 08[IKE] sending cert request for "C=US, O=myHome3, CN=myHome3 CA"
Jul 30 15:27:01 ipfire charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 30 15:27:01 ipfire charon: 08[NET] sending packet: from <myInternetIP>[500] to 192.168.65.136[500] (473 bytes)
Jul 30 15:27:01 ipfire charon: 06[NET] received packet: from 192.168.65.136[4500] to <myInternetIP>[4500] (540 bytes)
Jul 30 15:27:01 ipfire charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Jul 30 15:27:01 ipfire charon: 06[ENC] received fragment #1 of 4, waiting for complete IKE message
Jul 30 15:27:01 ipfire charon: 12[NET] received packet: from 192.168.65.136[4500] to <myInternetIP>[4500] (540 bytes)
Jul 30 15:27:01 ipfire charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Jul 30 15:27:01 ipfire charon: 12[ENC] received fragment #2 of 4, waiting for complete IKE message
Jul 30 15:27:01 ipfire charon: 09[NET] received packet: from 192.168.65.136[4500] to <myInternetIP>[4500] (540 bytes)
Jul 30 15:27:01 ipfire charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Jul 30 15:27:01 ipfire charon: 09[ENC] received fragment #3 of 4, waiting for complete IKE message
Jul 30 15:27:01 ipfire charon: 10[NET] received packet: from 192.168.65.136[4500] to <myInternetIP>[4500] (412 bytes)
Jul 30 15:27:01 ipfire charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Jul 30 15:27:01 ipfire charon: 10[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1839 bytes)
Jul 30 15:27:01 ipfire charon: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 30 15:27:01 ipfire charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 30 15:27:01 ipfire charon: 10[IKE] received end entity cert "C=US, O=myHome3, CN=Test2"
Jul 30 15:27:01 ipfire charon: 10[CFG] looking for peer configs matching <myInternetIP>[ipfire.localdomain]...192.168.65.136[Test2]
Jul 30 15:27:01 ipfire charon: 10[CFG] no matching peer config found
Jul 30 15:27:01 ipfire charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 30 15:27:01 ipfire charon: 10[IKE] peer supports MOBIKE
Jul 30 15:27:01 ipfire charon: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 30 15:27:01 ipfire charon: 10[NET] sending packet: from <myInternetIP>[4500] to 192.168.65.136[4500] (65 bytes)
Jul 30 15:27:13 ipfire last message repeated 5 times
How can I VPN from BLUE to GREEN via IPSec?
So no way, huh?
New question: Does the Mac OS (using Catalina) work with IPFire IPsec?
I can get the iPhone to work A-OK, but not a Mac.
I see this error:
I tried digging through the MacOS logs but I donāt see anything (but I do see openvpn items).
MBP:~ Jon$ cat /var/log/system.log | grep -ie vpn -ie ipsec -ie ikev2 -ie networkextension
Aug 8 21:36:07 MBP6 com.apple.xpc.launchd[1] (net.tunnelblick.openvpn.process-network-changes): Service only ran for 6 seconds. Pushing respawn out by 4 seconds.
MBP:~ Jon$ tail -f /var/log/system.log | grep -ie vpn -ie ipsec -ie ikev2 -ie networkextension
I use mojave and it works very well.
I only recently started using IPsec with an iPhone. And this is the first time on a Mac.
I followed these instructions (multiple, multiple times):
https://wiki.ipfire.org/configuration/services/ipsec/host-to-net/apple
I click the Apple icon and download to my Mac. I double click to new file to import it into the Mac.
I see this in the System Preferences > Network.
I assuming I can just click Connect and magic happens. But I immediately see the error in my above post.
I was hoping to see a hint in a Mac log but I cannot locate that hint! 
Is there anything you setup in Authentication Settingsā¦ or in Advancedā¦ ?
Are there any pointers you can offer? Is the iOS install slightly different from the Mac install?
Any suggestions are welcome!
I did that from my macbook. You should change the server address to the local IP, for example in my case is 10.1.1.1, but leave the certificate unchanged. You have just to duplicate the phone or the macbook settings (using a different name) and point that setting to the local address instead of the public url or IP address (in macbook you do that by opening network preferences, clicking to the VPN entry and changing the server address).
@jon About your other problem, could you check what happens from the IPFire side when you try to open a tunnel with your macbook? You can look at the WUI/logs/system logs/IPSec or from the console:
cat /var/log/messages | grep charon
(note: I realize you know how to look at the logs, but I say this for anyone that is totally unfamiliar with how to find the logs and is reading this thread).
This is what I see during the IKEv2 handshake, as a reference:
Aug 10 03:37:32 ipfire charon: 09[NET] received packet: from IP_redacted[46651] to IP_redacted[500] (64 bytes)
Aug 10 03:37:32 ipfire charon: 09[ENC] parsed ID_PROT request 0 [ SA ]
Aug 10 03:37:32 ipfire charon: 09[IKE] no IKE config found for IP_redacted...IP_redacted, sending NO_PROPOSAL_CHOSEN
Aug 10 03:37:32 ipfire charon: 09[ENC] generating INFORMATIONAL_V1 request 1909404738 [ N(NO_PROP) ]
Aug 10 03:37:32 ipfire charon: 09[NET] sending packet: from IP_redacted[500] to IP_redacted[46651] (40 bytes)
Aug 10 09:41:42 ipfire charon: 03[ENC] no message rules specified for this message type
Aug 10 09:41:42 ipfire charon: 03[NET] received unsupported IKE version 0.0 from IP_redacted, sending INVALID_MAJOR_VERSION
Aug 10 10:44:54 ipfire charon: 14[NET] received packet: from IP_redacted[26677] to IP_redacted500] (604 bytes)
Aug 10 10:44:54 ipfire charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 10 10:44:54 ipfire charon: 14[IKE] IP_redacted is initiating an IKE_SA
Aug 10 10:44:54 ipfire charon: 14[IKE] IP_redacted is initiating an IKE_SA
Aug 10 10:44:54 ipfire charon: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Aug 10 10:44:54 ipfire charon: 14[IKE] remote host is behind NAT
Aug 10 10:44:54 ipfire charon: 14[IKE] DH group MODP_2048 unacceptable, requesting ECP_256
Aug 10 10:44:54 ipfire charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 10 10:44:54 ipfire charon: 14[NET] sending packet: from IP_redacted[500] to IP_redacted[26677] (38 bytes)
Aug 10 10:44:55 ipfire charon: 16[NET] received packet: from IP_redacted[26677] to IP_redacted[500] (412 bytes)
Aug 10 10:44:55 ipfire charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 10 10:44:55 ipfire charon: 16[IKE] IP_redacted is initiating an IKE_SA
Aug 10 10:44:55 ipfire charon: 16[IKE] IP_redacted is initiating an IKE_SA
Aug 10 10:44:55 ipfire charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Aug 10 10:44:55 ipfire charon: 16[IKE] remote host is behind NAT
Aug 10 10:44:55 ipfire charon: 16[IKE] sending cert request for "C=CH, O=redacted, CN=redacted CA"
Aug 10 10:44:55 ipfire charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 10 10:44:55 ipfire charon: 16[NET] sending packet: from IP_redacted[500] to IP_redacted[26677] (289 bytes)
Aug 10 10:44:55 ipfire charon: 09[NET] received packet: from IP_redacted[36214] to IP_redacted[4500] (532 bytes)
Aug 10 10:44:55 ipfire charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ]
Aug 10 10:44:55 ipfire charon: 09[ENC] received fragment #1 of 5, waiting for complete IKE message
Aug 10 10:44:55 ipfire charon: 08[NET] received packet: from IP_redacted[36214] to IP_redacted[4500] (532 bytes)
Aug 10 10:44:55 ipfire charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ]
Aug 10 10:44:55 ipfire charon: 08[ENC] received fragment #2 of 5, waiting for complete IKE message
Aug 10 10:44:55 ipfire charon: 10[NET] received packet: from IP_redacted[36214] to IP_redacted[4500] (532 bytes)
Aug 10 10:44:55 ipfire charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ]
Aug 10 10:44:55 ipfire charon: 10[ENC] received fragment #3 of 5, waiting for complete IKE message
Aug 10 10:44:55 ipfire charon: 11[NET] received packet: from IP_redacted[36214] to IP_redacted[4500] (532 bytes)
Aug 10 10:44:55 ipfire charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ]
Aug 10 10:44:55 ipfire charon: 11[ENC] received fragment #4 of 5, waiting for complete IKE message
Aug 10 10:44:55 ipfire charon: 13[NET] received packet: from IP_redacted[36214] to IP_redacted[4500] (196 bytes)
Aug 10 10:44:55 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ]
Aug 10 10:44:55 ipfire charon: 13[ENC] received fragment #5 of 5, reassembled fragmented IKE message (2032 bytes)
Aug 10 10:44:55 ipfire charon: 13[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Aug 10 10:44:55 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 10 10:44:55 ipfire charon: 13[IKE] received end entity cert "C=CH, O=redacted, CN=redacted"
Aug 10 10:44:55 ipfire charon: 13[CFG] looking for peer configs matching IP_redacted[url_redacted]... IP_redacted[redacted]
Aug 10 10:44:55 ipfire charon: 13[CFG] selected peer config 'mac'
Aug 10 10:44:55 ipfire charon: 13[CFG] using trusted ca certificate "C=CH, O=redacted, CN=redacted CA"
Aug 10 10:44:55 ipfire charon: 13[CFG] checking certificate status of "C=CH, O=redacted, CN=redacted
Aug 10 10:44:55 ipfire charon: 13[CFG] certificate status is not available
Aug 10 10:44:55 ipfire charon: 13[CFG] reached self-signed root ca with a path length of 0
Aug 10 10:44:55 ipfire charon: 13[CFG] using trusted certificate "C=CH, O=redacted, CN=redacted"
Aug 10 10:44:55 ipfire charon: 13[IKE] authentication of 'redacted' with RSA signature successful
Aug 10 10:44:55 ipfire charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 10 10:44:55 ipfire charon: 13[IKE] peer supports MOBIKE
Aug 10 10:44:55 ipfire charon: 13[IKE] authentication of 'url_redacted' (myself) with RSA signature successful
Aug 10 10:44:55 ipfire charon: 13[IKE] IKE_SA mac[359] established between ip_redacted[url_redacted]...ip_redacted[redacted]
Aug 10 10:44:55 ipfire charon: 13[IKE] IKE_SA mac[359] established between IP_redacted[url_redacted]...IP_redacted[redacted]
Aug 10 10:44:55 ipfire charon: 13[IKE] sending end entity cert "C=CH, O=redacted, CN=url_redacted"
Aug 10 10:44:55 ipfire charon: 13[IKE] peer requested virtual IP %any
Aug 10 10:44:55 ipfire charon: 13[CFG] reassigning offline lease to 'redacted'
Aug 10 10:44:55 ipfire charon: 13[IKE] assigning virtual IP 10.1.1.161 to peer 'redacted'
Aug 10 10:44:55 ipfire charon: 13[IKE] peer requested virtual IP %any6
Aug 10 10:44:55 ipfire charon: 13[IKE] no virtual IP found for %any6 requested by 'redacted'
Aug 10 10:44:55 ipfire charon: 13[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 10 10:44:55 ipfire charon: 13[IKE] CHILD_SA mac{655} established with SPIs c0f5c504_i 0a0cd45b_o and TS 0.0.0.0/0 === 10.1.1.161/32
Aug 10 10:44:55 ipfire charon: 13[IKE] CHILD_SA mac{655} established with SPIs c0f5c504_i 0a0cd45b_o and TS 0.0.0.0/0 === 10.1.1.161/32
Aug 10 10:44:55 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Aug 10 10:44:55 ipfire charon: 13[ENC] splitting IKE message (1808 bytes) into 2 fragments
Aug 10 10:44:55 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Aug 10 10:44:55 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Aug 10 10:44:55 ipfire charon: 13[NET] sending packet: from ip_redacted[4500] to ip_redacted[36214] (1236 bytes)
Aug 10 10:44:55 ipfire charon: 13[NET] sending packet: from IP_redacted[4500] to IP_redacted[36214] (644 bytes)
I thought I had done this but I will give it another try! Thank you!
There are no log entries when I try to connect.
If I connect via my iPhone I see similar log entries. But if I connect via my MacBook I see no log entries on the IPFire box. ugh!
This tells us that your mackbook doesnāt even try to connect. Do you agree? if this is the case we need to troubleshoot the client side of the connection (which it was your conclusion few messages back, I guess).
I see two possibilities:
If I were you I would make sure that 1 cannot be the case. I assume it is two. This is what I suggest.
Start āKeychain accessā, go to system, my certificates. Click on the IPSec certificate (*), go to access control and check that the option āallow all the applications to access this itemā is selected, see image below.
Next, go to Network preferences, create a new device (+), select VPN from the drop down menu. Fill in the remote address, Remote ID and local ID. Select authentication settings, select ānoneā from the drop down menu. At this point you can select your certificate from the keychain, click OK. Try to connect and see if this time you can reach strongswan. If you want to do it from the blue network, you do all this except putting the gateway private address in server address. All this works without any problem from my side. I think we can figure out whatās wrong with your system.
(*) if it is not there you need to import it.
Right now I am looking at ā2. the configuration is brokenā since I can connect fine via an iPhone and IPsec.
The Mojave Keychain is different then Catalina Keychain. My key is under:
Curious - Do you do these steps for all IPsec keys?
As a side: I finally stumbled on a command to look at IPsec logs on the Mac side:
log stream --info --predicate 'senderImagePath contains[cd] "NetworkExtension"'
Iāll be back!
The below info is for Mac OS Catalina v10.15.7. This is the only version I have available to test.
OK - I think I got most of it working A-OK!
My iPhone profile has been working well for the past few days. And so I copied my working iPhone IPsec profile to my MacBook. And it did not work. 
BUT - it did start making entries in the IPFire IPsec (charon) message log! 
[root@ipfire ~]# grep -a charon /var/log/messages
. . .
Aug 11 18:40:43 ipfire4 charon: 05[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024
Aug 11 18:40:43 ipfire4 charon: 05[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 18:40:43 ipfire4 charon: 05[IKE] no matching proposal found, trying alternative config
Aug 11 18:40:43 ipfire4 charon: 05[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024
Aug 11 18:40:43 ipfire4 charon: 05[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 18:40:43 ipfire4 charon: 05[IKE] no matching proposal found, trying alternative config
Aug 11 18:40:43 ipfire4 charon: 05[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024
Aug 11 18:40:43 ipfire4 charon: 05[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 18:40:43 ipfire4 charon: 05[IKE] remote host is behind NAT
Aug 11 18:40:43 ipfire4 charon: 05[IKE] received proposals unacceptable
Aug 11 18:40:43 ipfire4 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
So basically the log is saying received proposals unacceptable and NO_PROP (no proposal?).
So next I followed Tomās advice aboveā¦
ā¦ and I unchecked IKE+ESP: Use only proposed settings. And sent the updated profile to the MacBook (again).
Aug 11 19:05:41 ipfire4 charon: 16[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024
Aug 11 19:05:41 ipfire4 charon: 16[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048
Aug 11 19:05:41 ipfire4 charon: 16[IKE] no matching proposal found, trying alternative config
Aug 11 19:05:41 ipfire4 charon: 16[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024
Aug 11 19:05:41 ipfire4 charon: 16[IKE] remote host is behind NAT
Aug 11 19:05:41 ipfire4 charon: 16[IKE] sending cert request for "C=xx, O=myHome, CN=myHome CA"
Aug 11 19:05:41 ipfire4 charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
And boom - it worked! I got my first MacBook IPsec connection to IPFire. 
And based on the above I set the Advanced page to AES_GCM_16_256 / PRF_HMAC_SHA2_256 / MODP_1024. I checked IKE+ESP: Use only proposed settings (the default setting).
And sent the re-updated profile to the MacBook (again). All now works as expected!
Additional notes / Lessons learned:
log stream --info --predicate 'senderImagePath contains[cd] "NetworkExtension"'
Done!
Way to go, @jon!
Client logs are rarely helpful, so relying on the output in the kernel log is essential. Different clients require different proposals, and sometimes they can manually be configured to use stronger encryption. MODP1024 is pretty weak, and I suspect that if you dig around a bit, Thereās a way to force MacOS to use something stronger.
@jon You did an outstanding job here, and a useful one for all the people coming from the Mac ecosystem to IPFire. I canāt stress enough how much I want to congratulate you.
By the way, this works also in Mojave
For reference, this is what I am using, It would be wonderful if @jon or @trymes would give a feedback
@cfusco - your config, with ECP256 and ECP384 selected, is definitely a lot better than what @jon is using with MODP1024.
This did not work. Not sure what I am doing wrong! 
Aug 12 19:24:04 ipfire charon: 09[NET] sending packet: from <myInternetIP>[500] to 192.168.65.111[500] (345 bytes)
Aug 12 19:24:04 ipfire charon: 08[NET] received packet: from 192.168.65.111[4500] to <myInternetIP>[4500] (540 bytes)
. . .
Aug 12 19:24:04 ipfire charon: 13[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
. . .
Aug 12 19:24:04 ipfire charon: 13[CFG] looking for peer configs matching <myInternetIP>[192.168.65.1]...192.168.65.111[JMBP6]
Aug 12 19:24:04 ipfire charon: 13[CFG] no matching peer config found
Aug 12 19:24:04 ipfire charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 12 19:24:04 ipfire charon: 13[IKE] peer supports MOBIKE
Aug 12 19:24:04 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Iām sorry, but Iām sure you have a good reason for wanting to establish a VPN from a device on blue to the router, but itās far beyond me to understand it. For testing, maybe, but there are so many extra variables that it doesnāt make sense to me, and in actual usage, the encryption on the WiFi connection ought to be enough. If it isnāt, then you shouldnāt be using WiFi, IMHO.
It may be possible to make this work, but I expect that it will not. Also, donāt forget that devices or subnets need to be added in Blue Access, and a firewall rule needs to be created for blue to access green.
Beyond that, I suspect an disconnect between the certificate address/name and the address you are connecting to. Even if you are able to make it work, you may very well break connections incoming to red in the process.
Whatās the whole point of connecting via IPSec from a host on blue?
Just testing. I can easily test my iPhone IPsec via cellular (LTE), but I donāt have a way to test my iMac or MacBook via IPsec. So the hope was do a VPN from blue to green.
No other reasonā¦
@jon
In /network preferences/server address/ did you put a DNS entry or an IP address (such as 192.168.65.1)? I put an IP address to keep the traffic inside the LAN because if I put the DNS entry for my server, it does not take the private address but the public one. If it goes through the WAN side it doesnāt work and I see logs like the one you have shown.
It works. I did this to restrict all the traffic from the blue zone with a firewall rule. If I VPN, then I get an IP in the green network and I can get to the WAN side. Not that I need to do it, but I wanted to see if I could add an extra layer of protection on the WIFI. Apparently, it is possible.