Support for Android with official strongSwan VPN Client, iOS and Windows tested.
For security, a valid (sub)domain and a valid SSL certificate for it are needed.
- Install strongswan, and if openvz, also install the kernel-libipsec plugin for strongswan
- In /etc/strongswan/strongswan.conf, append the following lines after load_modular = yes
1234dns1 = 220.127.116.11dns1 = 18.104.22.168nbns1 = 22.214.171.124nbns1 = 126.96.36.199
- In /etc/strongswan/ipsec.secrets, append “: RSA server.pem” (without quote) and youruser : EAP “yourpass” (with quote)
- In /etc/strongswan/ipsec.conf, add the following connection
/etc/strongswan/ipsec.conf1234567891011121314151617181920config setupuniqueids=neverconn connectionkeyexchange=ikev2ike=aes256-sha256-ecp256,aes256-sha256-modp1024!rekey=yesleft=%defaultrouteleftid=your.cert.hostleftsendcert=alwaysleftsubnet=0.0.0.0/0leftcert=server.cert.pemright=%anyrightauth=eap-mschapv2rightsourceip=10.8.128.0/24rightsendcert=nevereap_identity=%anydpdaction=clearfragmentation=yesauto=add
- Copy server.cert.pem (without ca-bundle or intermediate certificates, to deal with, plesae visit strongSwan Notes) and server.pem to corresponding directories in /etc/strongswan/ipsec.d
- Start strongswan
- Config iptables as needed
- Config client as needed
- When adding a server, always input the valid (sub)domain other than the server IP.
- When using a wildcard certificate, leftid (remoteid) should always be the root domain.