When the Windows client (10) connects to the StrongSwan server, the server's internet IP is lost

[TelDragon]

My server configuration

The internet IP of the server is 222.222.222.222 (demo)

connections {
    swanctl_Server1_EAP {
        version = 2
        proposals = default,3des-modp1024-prfsha1-sha1,aes128-sha256-x25519
        unique = never
        pools = Private_Network_1
        send_certreq = yes
        send_cert = always
        local {
            auth = pubkey
            certs = IPSecServerCert.pem
            id = ipsec.xxx.xx.cn
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            swanctl_Server1_EAP {
                start_action = start
                dpd_action = restart
                local_ts  = 172.17.62.0/24,192.168.0.0/24,192.168.1.0/24
                remote_ts = 0.0.0.0/0
                updown = /usr/local/strongswan/libexec/ipsec/_updown iptables
                esp_proposals = default,3des-modp1024-prfsha1-sha1,aes128-sha256-x25519
            }
        }
    }
}

pools {
    Private_Network_1 {
        addrs = 51.51.51.0/24
    }
}

secrets {

   eap-ct_Cloud {
      id = ct_Cloud
      secret = ******
   }
}

I have two Linux clients in two regions that can connect normally and use their connection pools.
Can ping the private network address and internet of the communication server

But once I connect to Windows.
The server's internet is like losing it. Others are unable to ping this IP properly.

When the Windows client is not connected. Anyone, including my Linux client, can ping normally 222.222.222.222

After Windows client authentication and login, no one, including my Linux client, can ping 222.222.222.222
I feel like it has nothing to do with my Windows client routing（Whether executed or not）

Remove-VpnConnectionRoute -ConnectionName "ipsec.xxx.xx.cn" -DestinationPrefix 172.17.62.0/24 -PassThru


DestinationPrefix : 172.17.62.0/24
InterfaceIndex    :
InterfaceAlias    : ipsec.xxx.xx.cn
AddressFamily     : IPv4
NextHop           : 0.0.0.0
Publish           : 0
RouteMetric       : 1
PolicyStore       :

The problem may occur on the traffic selector of the server configuration

I am very confused.

[tobiasbrunner]

remote_ts = 0.0.0.0/0

Don't configure this when assigning virtual IPs from a pool, just keep it to the default (dynamic).

[tobiasbrunner]

No, EAP-Identity != IKE Identity. And you can't match on the EAP-Identity without a workaround (see e.g. #1326).

[TelDragon]

Sorry. I got confused.

https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html

default

id = %any

IKE identity to expect for authentication round. Refer to the id keyword of the [local](https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_local) section for details. When using certificate-based authentication, the IKE identity must be contained in the certificate, either as the subject DN or as a subjectAltName. It’s possible to use wildcards to match remote identities (e.g. *@strongswan.org, *.strongswan.org or "C=CH, O=strongSwan, CN=*"). Connections with exact matches are preferred. When using DNs with wildcards, the charon.rdn_matching option in [strongswan.conf](https://docs.strongswan.org/docs/5.9/config/strongswanConf.html) specifies how Relative Distinguished Names (RDNs) are matched

meanwhile

eap_id = id

Identity to use as peer identity during EAP authentication. If set to %any the EAP-Identity method will be used to ask the client for an EAP identity

I might be doing this

remote {
            auth = eap-mschapv2
            eap_id = %any
            id = ct_Cloud1
        }

[TelDragon]

How can the same connection match authentication with multiple IDs? I only allow a certain number of IDs to be connected to a specific license, not just one ID.

Can it be like this?

remote {
            auth = eap-mschapv2
            eap_id = %any
            id = ct_Cloud1,ct_Cloud2,ct_Cloud3
        }

Can it be like this?

remote {
            auth = eap-mschapv2
            eap_id = %any
            id = ct_Cloud1 ct_Cloud2 ct_Cloud3
        }

[tobiasbrunner]

You can only match multiple identities via wildcards (e.g. *@strongswan.org). And it will only work if clients actually send useful IKE identities (e.g. Windows doesn't if EAP authentication is used, it just sends the private IP address). Matching the server identity has a similar issue as some clients don't send a remote identity (again, Windows is one of them, strongSwan's Android client as well, by default). But either might be OK, if you want to use one of the connections only for very specific clients (that can send a proper local or remote IKE identity), and the other connection (that hasn't configured any specific local or remote identity) is the fallback for all other clients. And as mentioned above, you could match on the EAP-Identity, you just have to use the workaround via dummy connection.

[TelDragon]

Indeed, I have also noticed this issue. Windows clients do not send valid ID identifiers. Its identifier is just a combination of the client's IP address and the user. EAP: 'ct-Cloud2' [51.51.51.3]

This forces me to use multiple connections to implement it