I have downloaded the official instructions on how to setup "
IPsec Roaming Clients with Pre-shared Keys". Doesn't seem too hard IMHO... but it does not work with my DFL-800. The problem is with the IPSec Tunnel. The instructions are:
- Set Local Network to lannet.
- Set Remote Network to all-nets.
- Set Remote Gateway to all-nets.
- Set Encapsulation mode to Tunnel.
- Set the IKE and IPsec proposal lists to match the capabilities of the clients.
No routes can be predefined so the option Dynamically add route to the remote network
when tunnel established should be enabled for the tunnel object. - Enable the option Require IKE XAuth user authentication for inbound IPsec tunnels.
This will enable a search for the first matching XAUTH rule in the authentication rules.
If I set "
Remote Network" to "
all-nets", a route is added to my routing table, destination interface is the IPSec Tunnel, network is 0.0.0.0/0 and metric is 90. As 90 is smaller than 100 (default WAN route), as soon as I store the config, I'm cut of my WAN. I cannot get out on the Internet at all any longer. I can establish a VPN connection and also access LAN hosts, but no LAN host can go out on the Internet any longer. Probably because the gateway now tries to route all traffic that has no more specific route over the VPN tunnel (whether this one is up or not).
If I change my WAN interface configuration to give the default WAN route a metric of 50, it will win against the VPN route, now I have WAN access again. However, when I connect via VPN, connection comes up fine, but I can no longer access any LAN host over this tunnel.
If I don't use all-nets as Remote Network, but instead some fixed IP, like 172.16.0.1 and the VPN client uses this as local IP, I have both, WAN access for LAN hosts and a VPN tunnel through that I can access LAN hosts. Problem with that setup is that I cannot use Mode Config feature (to have IPs assigned from Address Pool) and also I must create one IPSec Tunnel per VPN user (instead of sharing one tunnel among multiple users).
I don't get it. How can the official instructions on how to do it cut off users of the WAN? Has anyone at D-Link actually ever tested their own instructions? And yes, I have the very latest (official) firmware installed (I had an older one before, same behavior, but I thought maybe the issue was fixed). And yes, I have "
Dynamically add route to the remote network when tunnel established" checked as the instructions say, but this option makes no difference. The annoying route is created anyway, whether this is checked or not and I'm cut of the WAN if it is created, whether it is checked or not.
This is really annoying, to not say depressing. I really know IP networking very well and the bug is that this stupid route is created at all. There should be no route created to begin with if I select the "dynamic" option. And only if a VPN user connects a route should be created to the single IP of this user only (no matter if he has this IP statically or dynamically via Mode Config) and this route must have a smaller metric than the default WAN route of course, otherwise reply traffic wasn't going back over VPN.
Anyone ever got such a setup working? I can provide screenshots and other configuration if requested and helpful. Thanks to anyone who may be able to offer some help.
Author
Topic: [SOLVED] DFL-800 Official Instructions for IPSec Roaming Clients Do Not Work! (Read 6641 times)