IPsec for IKEv2+EAP-MSCHAPv2

Support for Android with official strongSwan VPN Client, iOS and Windows tested.

For security, a valid (sub)domain and a valid SSL certificate for it are needed.

The setup:

  1. Install strongswan, and if openvz, also install the kernel-libipsec plugin for strongswan
  2. In /etc/strongswan/strongswan.conf, append the following lines after load_modular = yes
  3. In /etc/strongswan/ipsec.secrets, append “: RSA server.pem” (without quote) and youruser : EAP “yourpass” (with quote)
  4. In /etc/strongswan/ipsec.conf, add the following connection
  5. Copy server.cert.pem (without ca-bundle or intermediate certificates, to deal with, plesae visit strongSwan Notes) and server.pem to corresponding directories in /etc/strongswan/ipsec.d
  6. Start strongswan
  7. Config iptables as needed
  8. Config client as needed


  • When adding a server, always input the valid (sub)domain other than the server IP.
  • When using a wildcard certificate, leftid (remoteid) should always be the root domain.

Nov 3, 2018 @ 11:13

Leave a Reply

Your email address will not be published. Required fields are marked *

Please calculate * Time limit is exhausted. Please reload CAPTCHA.