There are not currently any methods of making "multiple" groups of IPsec users, nor any way of assigning them IPs from separate pools from the server.

So you would need OpenVPN for that sort of scenario.

After working closely with the other end, we were able to get a tunnel going by not using NAT.  Once we removed that, and change their configuration accordingly, the tunnel came up.

The only problem now, is that only their end can bring the tunnel.  Whenever my end tries to initiate the tunnel, it gives Phase2 errors.  The wonderful "NO PROPOSAL CHOSEN" error ID.

Would anyone know what I'm doing wrong in this situation?  I have confirmed on their end that the tunnel is configured as Bidirectional, and should be able to be brought up from either end.

Not sure if it matters, but I am connecting this tunnel to a Cisco ASA.

Thanks,
Daryl

I haven't done this by now, but in theory it should be possible. Till now I had no time to get deeper into this topic. I think, racoon is capable of this and can realize this.

Just a thought:
take a look into the racoon.conf and search the part of your current mobile client configuration. Duplicate it and modify the corresponding config.

Problem:
restarting racoon ends up in the "gui"-configuration (at least for my last test with modifying by hand)

For persistent changes, the Filer package could be an option?!

Dear doktornotor,

Thank you very much, that did it! I did rebuild the certificates so that the "O" field does not contain a space to avoid that facet of complexity and than things did just work fine.

Regards,

Michael

For a domain override, the IP address you give is a remote DNS server that will respond with the correct IPs for items inside of that domain.

If that is across a VPN, especially IPsec, you may also need to fill in the source address box for the domain override as your LAN IP

anyone could help??

This is broken again in 2.1.2

What about the proxy-id (encryption domain)?
The cisco products checks the presence of the proxy id, unlike other vendors as Fortinet or Juniper.
Could you post your Phase 2 entries?

@opalit:

As it happens I have downloaded that one.

When I did a search on OpenVpn in the app store, dozens came up.

Most were probably vendor-specific.  There's a lot of VPN providers who made their own app.  You can only use those with that particular vendor.

Hooray!

So, like… how about posting the contents of /var/etc/ipsec/racoon.conf file?

I have been having the same problem. When I just connect my Netgear router, all works well.

None of that really applies to Mobile. There isn't a way in IPsec currently to restrict access for a given IP/PSK in the way you're after.

If this is for site to site, use individual tunnels, not mobile.

If it's for mobile clients, the Phase 2 entries are only really used if you check the box to supply a list of networks to the client, and then only if they obey that list. Mobile setups let the client specify what they want to send, the server can't really restrict that (except with firewall rules)

Thank you dotdash! I didn't cross my mind that I could set the source subnet (our side) to the customer's server (/32) instead of the subnet. And I will have a look at NAT too.