IPsec for IKEv2+EAP-MSCHAPv2

Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

Support for Windows, iOS 10 and Android with strongSwan Client tested.

For security, a valid (sub)domain and a valid SSL certificate for it are needed.

The setup:

  1. Install strongswan, and if openvz, also install kernel-libipsec plugin for strongswan
  2. In /etc/strongswan/strongswan.conf, append the following lines after load_modular = yes
  3. In /etc/strongswan/ipsec.secrets, append “: RSA server.pem” (without quote) and youruser : EAP “yourpass” (with quote)
  4. In /etc/strongswan/ipsec.conf, add the following connection
  5. Copy server.cert.pem (without ca-bundle or intermediate certificates, to deal, still WIP) and server.pem to corresponding directories in /etc/strongswan/ipsec.d
  6. Start strongswan
  7. Config iptables as needed
  8. Config client as needed

Tips:

  • When adding a server, always input the valid (sub)domain other than the server IP.
  • When using a wildcard certificate, leftid (remoteid) should always be the root domain.

 
Sep 10, 2017 @ 18:50

Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Please calculate * Time limit is exhausted. Please reload CAPTCHA.