Need advice for Ipsec IKev2 settings
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi all,
sorry for this long message :-)
I have been able to setup either L2TP or Openvpn client to LAN access to my home network, but I am still not able to setup an Ipsec IKev2 policy for client to LAN access. And I would like to use Ikev2, considering Ikev2 is described as more secure thant Ikev1 used in L2TP/IPsec access, and because I would like to avoid needing to install a dedicated application such as Openvpn Connect to connect.
My setup is the following : my ISP provided gateway is on local segment 192.168.1.x, on which is connected my ER605 router :
- Isp Gateway = 192.168.1.1
- ER605 Router (wan side) = 192.168.1.2 (set as static address)
- a route is defined on my Isp Gateway, to give access to 192.168.0.0 network through my router (192.168.1.2)
And note : the DHCP of the ISP gateway is off
The LAN managed by the router is indeed defined as follows :
- ER605 Router (LAN side) = 192.168.0.1
- Subnet 255.255.255.0
- DHCP distributing IP addresses between 192.168.0.130 and 192.168.0.135 (I have very few unknown equipment which may connect to my network at the same time)
- Numerous static addresses defined between 192.168.0.2 and 192.168.100, for well identified equipment
As I only want to be able to connect to my LAN from distant PC's or smartphones with an Ikev2 IPsec policy, I try to setup an adequate client-to-LAN policy, but can't manage to do that. Hereafter my questions - many many thanks if you can help me :
1 - for Remote Host, I still have doubts on what to put : I tried 0.0.0.0 considering my remote equipment I will use to connect to my LAN will have varying IP addresses, but I'm not 100% sure that this setting corresponds to the possible client IP addresses, just because of the word "Host". Shall I keep 0.0.0.0 ? I also made attempts with my domain name due to this word "host", but without more success in my various attempts.
2 - for Local subnet, I also still have doubts :
- my first idea was to put 192.168.0.0/24 which is the mask of my LAN,
- but I saw that when I had successfully setup a L2TP access (which had automatically set an IPsec policy), it had defined 192.168.1.2/32 as local subnet. Honestly I don't really understand this. Of course I tried also doing it when setting my own IPsec policy, but with no success.
- What would you recommend for that ?
3 - In the advanced settings section (allowing to choose Ikev2), I also have doubts on the choice of the Negotiation mode (initiator or responder). I thought "responder" was adapted to my need, but I'm not sure, and the information provided in the router standalone menu is confusing, as it says the same for both initiator and responder modes : "The local device initiates a connection to the peer.".
4 - For the IP address pool, I would like to have the possibility to define an IP address range on the 192.168.0.x segment, in order to avoid problems when connecting to other equipment on the LAN (and since 1.2.0 firmware, when configuring an Openvpn or L2TP/Ipsec access, it is possible to define an IP address pool on the same segment than the router LAN port, which helped me solving connection issues with some LAN equipment when I had to use a different segment previously). But when trying to do so (for example 192.168.0.192/27, which worked for Openvpn), It says me :
- either "The IP pool subnet and the local subnet should not be in the same network segment", if I have defined 192.168.0.1/24 as local subnet,
- or "The IP pool subnet and the IP address of the LAN port should not be in the same network segment", if I have defined 192.168.1.2/32 as local subnet (as automatically defined when using L2TP/IPsec vpn access),
=> So I'm a bit lost on this setting also... If you have an advice, thanks a lot.
5 - For Local and Remote ID's, I tried to keep the default "IP Address" setting, but I have doubts because when trying to add an IKev2 VPN configuration on my iPhone, it requests at least a Remote ID name. So I'm not sure if I can let it with "IP Address" default setting. Is it possible, or should I define some names ?
And I didn't investigate the other settings such as crypting methods, because I want first to make it work "basically"... but I already struggle a little :-)
Again, sorry for this long message... I hope that my questions were clear enough, and many thanks if you can help me !
Best regards,
Benjamin
