I got a Ubuntu VPN up and running with my Android phone before but I wanted it to work with my Rocky 9.2 install and now it works. Server conf:
conn roadwarriors
ikev2=insist
fragmentation=yes
left=%any
leftsubnet=192.168.0.0/21
leftcert="IPsec client cjp"
leftid=%fromcert
right=192.168.2.72
# trust our own Certificate Agency
rightca=%same
# pick an IP address pool to assign to remote users
rightaddresspool=192.168.4.1-192.168.4.20
# if you want remote clients to use some local DNS zones and servers
modecfgdns="192.168.0.220, 192.168.0.1"
modecfgdomains="incandescent.tech"
rightcert="IPsec server cert"
authby=rsasig
auto=add
# kill vanished roadwarriors
dpddelay=1m
dpdtimeout=5m
dpdaction=clear
I’ve imported the CA, the server cert and the client cert:
ipsec import dualca.p12 ipsec import ipsecserver.p12 ipsec import cjpipsec.p12
[root@runner02 ~]# ipsec trafficstatus
006 #3: “roadwarriors”[2] 83.191.105.10, type=ESP, add_time=1698601747, inBytes=0, outBytes=0, maxBytes=2^63B, id=’CN=cjp’, lease=192.168.4.1/32
I can’t get forwarding to work on the server end though like I could with Ubuntu. I tried debugging it with my Ubuntu-machine on Vultr but the two just would not communicate and my Ubuntu host gave no response to ipsec listcerts. Anyway, this seems to work with RHEL now:
conn roadwarriors
ikev2=insist
# support (roaming) MOBIKE clients (RFC 4555)
#mobike=yes
fragmentation=yes
left=%any
# if access to the LAN is given, enable this, otherwise use 0.0.0.0/0
leftsubnet=192.168.0.0/21
leftcert="IPsec client cjp"
#leftcert="IPsec server cert"
leftid=%fromcert
#leftxauthserver=yes
#leftmodecfgserver=yes
right=192.168.2.72
# trust our own Certificate Agency
rightca=%same
# pick an IP address pool to assign to remote users
rightaddresspool=192.168.9.1-192.168.9.20
# if you want remote clients to use some local DNS zones and servers
modecfgdns="192.168.0.220, 192.168.0.1"
modecfgdomains="incandescent.tech"
#rightxauthclient=yes
#rightmodecfgclient=yes
rightcert="IPsec server cert"
rightsubnet=192.168.0.0/21
authby=rsasig
# optionally, run the client X.509 ID through pam to allow or deny client
# pam-authorize=yes
# load connection, do not initiate
auto=add
# kill vanished roadwarriors
dpddelay=1m
dpdtimeout=5m
dpdaction=clear
So we have to set rightsubnet for some reason. I intend to look into that tomorrow because I don’t understand that configuration name. BTW, my Android won’t accept redirected routes if they contain a slash. Uhm… You own example 10.0.0/8 contains a slash and without it it isn’t a proper subnet so… How that supposed to work? Thankfully rightsubnet does the work for me it seems. Oh, my firewall rules I’ve added:
*filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -I FORWARD --match policy --pol ipsec --dir in --proto esp -s 192.168.9.0/26 -j ACCEPT -I FORWARD --match policy --pol ipsec --dir out --proto esp -d 192.168.9.0/26 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -I POSTROUTING -s 192.168.9.0/26 -o ens18 -m policy --pol ipsec --dir out -j ACCEPT -I POSTROUTING -s 192.168.9.0/26 -o ens18 -j MASQUERADE COMMIT *mangle -I FORWARD --match policy --pol ipsec --dir in -s 192.168.9.0/26 -o ens18 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT
Note that we do NOT want -A because that adds the rules to the end of the existing sets. I use iptables-restore -n FILENAME to read these rules in. I better check tomorrow that I can read these extra rules in on boot. Then I can keep Ubuntu for Galera only.