Support for Windows, iOS 10 and Android with strongSwan Client tested.
For security, a valid (sub)domain and a valid SSL certificate for it are needed.
- Install strongswan, and if openvz, also install kernel-libipsec plugin for strongswan
- In /etc/strongswan/strongswan.conf, append the following lines after load_modular = yes
12345half_open_timeout = 300 #workaround for CRL retrieval timeoutdns1 = 22.214.171.124dns1 = 126.96.36.199nbns1 = 188.8.131.52nbns1 = 184.108.40.206
- In /etc/strongswan/ipsec.secrets, append “: RSA server.pem” (without quote) and youruser : EAP “yourpass” (with quote)
- In /etc/strongswan/ipsec.conf, add the following connection
/etc/strongswan/ipsec.conf1234567891011121314151617181920config setupuniqueids=neverconn connectionkeyexchange=ikev2ike=aes256-sha256-ecp256,aes256-sha256-modp1024!rekey=yesleft=%defaultrouteleftid=your.cert.hostleftsendcert=alwaysleftsubnet=0.0.0.0/0leftcert=server.cert.pemright=%anyrightauth=eap-mschapv2rightsourceip=10.8.128.0/24rightsendcert=nevereap_identity=%anydpdaction=clearfragmentation=yesauto=add
- Copy server.cert.pem (without ca-bundle or intermediate certificates, to deal, still WIP) and server.pem to corresponding directories in /etc/strongswan/ipsec.d
- Start strongswan
- Config iptables as needed
- Config client as needed
- When adding a server, always input the valid (sub)domain other than the server IP.
- When using a wildcard certificate, leftid (remoteid) should always be the root domain.