My blog

Nov 22, 2017 - 1 minute read

Strongswan VPN setup

VPN setup using Strongswan

Server Configuration

/etc/ipsec.conf

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
  esp=aes256gcm16-sha256!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@yourVpnServerName.example.com
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.42.42.0/24,2002:25f7:7489:3::/112
  rightsendcert=never

The rightsourceip is the virtual IP address the client will receive

I tried removing the IPv6 addresses from the rightsourceip but I could not get the Strongswan app in Android to connect without it.

/etc/ipsec.secrets

yourVpnServerName.example.com : RSA privkey.pem   
username %any : EAP usersPassword

privkey.pem is the private key in /etc/ipsec.d/private, in this case it came from Let’s Encrypt. Using certbot

Client Configuration

/etc/ipsec.conf

# https://github.com/jawj/IKEv2-setup
conn ikev2vpn
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        ike=aes256gcm16-sha256-ecp521!
        esp=aes256gcm16-sha256!
        leftsourceip=%config
        leftauth=eap-mschapv2
        eap_identity=yourUserName
        right=yourVpnServerName.example.com
        rightauth=pubkey
        rightid=@yourVpnServerName.example.com
        rightsubnet=0.0.0.0/0
        auto=add  # or auto=start to bring up automatically

References