FransUrbo/Strongswan+RADIUS

## Strongswan+RADIUS
ipsec.conf-defaults
===================
config setup
        uniqueids=no
        strictcrlpolicy=no
        # nat_traversal=yes
        #charondebug="ike 2, knl 2, cfg 3, mgr 3, chd 2, net 2"

# NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the cert!!
conn %default
        left=10.99.0.174
        leftid=vpn.domain.tld
        leftcert=jumpbox.pem
        leftsubnet=MY_CIDR/11
        leftfirewall=yes
        leftsendcert=always
        leftdns=LOCAL_IP

        rightdns=LOCAL_IP

        keyexchange=ikev2
        dpdaction=clear
        dpddelay=2400s
        fragmentation=yes
        forceencaps=yes
        compress=yes

ca pharmpress
        cacert=domain.tld.pem
        auto=add

ipsec.conf-clients
==================
conn client_radius
        leftauth=pubkey

        right=%any
        rightid=%any
        rightsourceip=10.100.0.0/24
        rightauth=eap-radius

        eap_identity=%identity
        #eap_identity=%any
        type=tunnel
        auto=add

eap-radius.conf
===============
eap-radius {
    accounting = yes
    eap_start = no
    filter_id = no
    load = yes
    dae {
        enable = yes
        listen = localip
        port = 3799
        secret = secret1
    }
    forward {
    }
    servers {
        primary {
            address = radius-slave-00001.domain.tld
            port = 1812
            nas_identifier = jumpbox
            sockets = 10
            secret = secret2
            preference = 99
        }
        secondary {
            address = radius-slave-00002.domain.tld
            port = 1812
            nas_identifier = jumpbox
            sockets = 10
            secret = secret2
        }
        tertiary {
            address = radius-slave-00003.domain.tld
            port = 1812
            nas_identifier = jumpbox
            sockets = 10
            secret = secret2
        }
    }
}
	ipsec.conf-defaults
	===================
	config setup
	uniqueids=no
	strictcrlpolicy=no
	# nat_traversal=yes
	#charondebug="ike 2, knl 2, cfg 3, mgr 3, chd 2, net 2"

	# NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the cert!!
	conn %default
	left=10.99.0.174
	leftid=vpn.domain.tld
	leftcert=jumpbox.pem
	leftsubnet=MY_CIDR/11
	leftfirewall=yes
	leftsendcert=always
	leftdns=LOCAL_IP

	rightdns=LOCAL_IP

	keyexchange=ikev2
	dpdaction=clear
	dpddelay=2400s
	fragmentation=yes
	forceencaps=yes
	compress=yes

	ca pharmpress
	cacert=domain.tld.pem
	auto=add

	ipsec.conf-clients
	==================
	conn client_radius
	leftauth=pubkey

	right=%any
	rightid=%any
	rightsourceip=10.100.0.0/24
	rightauth=eap-radius

	eap_identity=%identity
	#eap_identity=%any
	type=tunnel
	auto=add

	eap-radius.conf
	===============
	eap-radius {
	accounting = yes
	eap_start = no
	filter_id = no
	load = yes
	dae {
	enable = yes
	listen = localip
	port = 3799
	secret = secret1
	}
	forward {
	}
	servers {
	primary {
	address = radius-slave-00001.domain.tld
	port = 1812
	nas_identifier = jumpbox
	sockets = 10
	secret = secret2
	preference = 99
	}
	secondary {
	address = radius-slave-00002.domain.tld
	port = 1812
	nas_identifier = jumpbox
	sockets = 10
	secret = secret2
	}
	tertiary {
	address = radius-slave-00003.domain.tld
	port = 1812
	nas_identifier = jumpbox
	sockets = 10
	secret = secret2
	}
	}
	}