FransUrbo/gist:04ce0fc6438647939f29d9cfed5c2df1

## gistfile1.txt
** CLIENT **
# /etc/ipsec.conf
config setup
        uniqueids=no
        strictcrlpolicy=no
        charondebug="ike 3, knl 2, cfg 3, mgr 3, chd 2, net 3"

conn %default
        leftid=raspberrypi
        leftfirewall=yes

        dpdaction=clear
        dpddelay=2400s
        fragmentation=yes
        forceencaps=yes
        compress=no

        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

        ike=aes128-md5-modp1536,aes128-md5-modp1536,modp2048,modp2048s256
        esp=aes128-sha1

ca company
        cacert=domain.tld.pem
        auto=add

conn company
        right=VPN_IP
        rightid=vpn.domain.tld
        rightsubnet=VPN_SUBNET_CIDR
        rightfirewall=yes
        rightdns=VPN_INTERNAL_IP

        leftsourceip=%config4
        leftauth=psk

        mobike=no
        dpdaction=restart
        type=tunnel
        auto=start

# /etc/ipsec.secrets
vpn.domain.tld raspberrypi : PSK "VerySecret"

** SERVER **
# /etc/ipsec.conf
config setup
        uniqueids=no
        strictcrlpolicy=no

conn %default
        left=VPN_INTERNAL_IP
        leftid=vpn.domain.tld
        leftcert=jumpbox.pem
        leftsubnet=VPN_SUBNET_CIDR
        leftfirewall=yes
        leftsendcert=always
        leftdns=VPN_INTERNAL_IP

        rightdns=VPN_INTERNAL_IP

        keyexchange=ikev2
        dpdaction=clear
        dpddelay=2400s
        fragmentation=yes
        forceencaps=yes
        compress=yes

ca company
        cacert=domain.tld.pem
        auto=add

conn client_psk
        right=%any
        rightid=%any
        rightsourceip=VPN_SUBNET_CIDR
        rightauth=psk

        type=tunnel
        auto=add

conn client_radius
        leftauth=pubkey

        right=%any
        rightid=%any
        rightsourceip=VPN_SUBNET_CIDR
        rightauth=eap-radius

        eap_identity=%identity
        type=tunnel
        auto=add

# /etc/ipsec.secrets
raspberrypi : PSK "VerySecret"
	CLIENT
	# /etc/ipsec.conf
	config setup
	uniqueids=no
	strictcrlpolicy=no
	charondebug="ike 3, knl 2, cfg 3, mgr 3, chd 2, net 3"

	conn %default
	leftid=raspberrypi
	leftfirewall=yes

	dpdaction=clear
	dpddelay=2400s
	fragmentation=yes
	forceencaps=yes
	compress=no

	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

	ike=aes128-md5-modp1536,aes128-md5-modp1536,modp2048,modp2048s256
	esp=aes128-sha1

	ca company
	cacert=domain.tld.pem
	auto=add

	conn company
	right=VPN_IP
	rightid=vpn.domain.tld
	rightsubnet=VPN_SUBNET_CIDR
	rightfirewall=yes
	rightdns=VPN_INTERNAL_IP

	leftsourceip=%config4
	leftauth=psk

	mobike=no
	dpdaction=restart
	type=tunnel
	auto=start

	# /etc/ipsec.secrets
	vpn.domain.tld raspberrypi : PSK "VerySecret"

	SERVER
	# /etc/ipsec.conf
	config setup
	uniqueids=no
	strictcrlpolicy=no

	conn %default
	left=VPN_INTERNAL_IP
	leftid=vpn.domain.tld
	leftcert=jumpbox.pem
	leftsubnet=VPN_SUBNET_CIDR
	leftfirewall=yes
	leftsendcert=always
	leftdns=VPN_INTERNAL_IP

	rightdns=VPN_INTERNAL_IP

	keyexchange=ikev2
	dpdaction=clear
	dpddelay=2400s
	fragmentation=yes
	forceencaps=yes
	compress=yes

	ca company
	cacert=domain.tld.pem
	auto=add

	conn client_psk
	right=%any
	rightid=%any
	rightsourceip=VPN_SUBNET_CIDR
	rightauth=psk

	type=tunnel
	auto=add

	conn client_radius
	leftauth=pubkey

	right=%any
	rightid=%any
	rightsourceip=VPN_SUBNET_CIDR
	rightauth=eap-radius

	eap_identity=%identity
	type=tunnel
	auto=add

	# /etc/ipsec.secrets
	raspberrypi : PSK "VerySecret"