My ipsec configuration
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
conn myvpn
auto=add
keyexchange=ikev1
authby=secret
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
ike=aes128-sha1-modp2048
esp=aes128-sha1
/etc/xl2tpd/xl2tpd.conf
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name "$VPN_USER"
password "$VPN_PASSWORD"
StrongSwan VPN connection
initiating Main Mode IKE_SA myvpn[1] to 10.4.2.4
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (240 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (372 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (108 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myvpn[1] established between 10.4.1.4[10.4.1.4]...10.4.2.4[10.4.2.4]
scheduling reauthentication in 9925s
maximum IKE_SA lifetime 10465s
generating QUICK_MODE request 310716818 [ HASH SA No ID ID ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (220 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (172 bytes)
parsed QUICK_MODE response 310716818 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA myvpn{1} established with SPIs c11429dc_i c53fee9d_o and TS 10.4.1.4/32[udp/l2f] === 10.4.2.4/32[udp/l2f]
generating QUICK_MODE request 310716818 [ HASH ]
connection 'myvpn' established successfully
The netplan of the client system that will connect to the VPN Server
network:
version: 2
renderer: networkd
ethernets:
enx7cc2c642ce1f:
addresses:
- 10.4.1.4/16
routes:
- to: 0.0.0.0
via: 10.4.1.1
nameservers:
addresses:
- 10.4.1.1
eno1:
addresses:
- 10.1.1.231/24
routes:
- to: 0.0.0.0
via: 10.1.1.251
nameservers:
addresses:
- 10.1.1.23
- 10.1.1.22
enx7cc2c6436994:
dhcp4: false
addresses:
- 10.2.1.1/16
vlans:
vlan.401:
id: 401
dhcp4: false
addresses:
- 10.4.1.1/15
link: enx7cc2c6436994
vlan.601:
id: 601
dhcp4: false
addresses:
- 10.6.1.1/16
link: enx7cc2c6436994
The ip routes present on the system
0.0.0.0 via 10.4.1.1 dev enx7cc2c642ce1f proto static
0.0.0.0 via 10.1.1.251 dev eno1 proto static
default via 10.1.1.251 dev eno1 proto dhcp src 10.1.1.101 metric 100
10.1.1.0/24 dev eno1 proto kernel scope link src 10.1.1.231
10.1.1.22 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.23 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.251 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
blackhole 10.1.48.64/26 proto 80
10.1.48.93 dev cali0327d21449c scope link
10.2.0.0/16 dev enx7cc2c6436994 proto kernel scope link src 10.2.1.1
10.4.0.0/16 dev enx7cc2c642ce1f proto kernel scope link src 10.4.1.4
10.4.0.0/15 dev vlan.401 proto kernel scope link src 10.4.1.1
10.6.0.0/16 dev vlan.601 proto kernel scope link src 10.6.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
I added the following route to access devices on subnet 10.5.0.0/16 which is running behind the VPN server.
Note: I am able to ping the devices from the VPN server.
ip route add to 10.5.0.0/16 via 10.4.1.1 dev enx7cc2c642ce1f
However I am still unable to ping any devices running on the 10.5.0.0/16 subnet.