OkamiSupport/gist:4892f251e837ee708131

## gistfile1.txt
假设你Toughradius和CiscoIPSEC VPN都调试好了，请将目录定位到/usr/local/etc
编辑 strongswan.d/charon/eap-radius.conf

eap-radius {
    accounting = yes
    load = yes
    dae {
        enable = yes
        listen = 0.0.0.0
        port = 3799
    }

    forward {

    }
    servers {
      server-a {
    secret = *enter your radius secrets*
    address = *enter your radius server IP*
    auth_port = 1812
    acct_port = 1813
  }
    }
    xauth {

    }
}

然后编辑ipsec.conf

config setup
    uniqueids=never

conn iOS_xauth_psk
    keyexchange=ikev1
    fragmentation=yes
    ikelifetime = 12h
    lifetime = 12h
    rekey = yes
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth-radius
    rightsourceip=10.90.0.0/24
    auto=add

conn android_xauth_psk
    keyexchange=ikev1
    ikelifetime = 12h
    aggressive = yes
    lifetime = 12h
    rekey = yes
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth-radius
    rightsourceip=10.90.0.0/24
    auto=add

conn networkmanager-strongswan
    keyexchange=ikev2
    ikelifetime = 12h
    lifetime = 12h
    rekey = yes
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=pubkey
    rightsourceip=10.90.0.0/24
    rightcert=client.cert.pem
    auto=add

conn windows7
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    ikelifetime = 12h
    lifetime = 12h
    rekey = yes
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=server.cert.pem
    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.90.0.0/24
    rightsendcert=never
    eap_identity=%any
    auto=add

conn L2TP-PSK
    keyexchange=ikev1
    authby=secret
    ikelifetime = 12h
    lifetime = 12h
    rekey = yes
    leftprotoport=17/1701
    leftfirewall=no
    rightprotoport=17/%any
    type=transport
    auto=add

将代码修改成上面的配置即可。
rightsourceip可以改成你想要的网段。
android使用ipsec vpn验证和ios的差不多，但是要多一个agreessive = yes ，不然无法连接服务器。
	假设你Toughradius和CiscoIPSEC VPN都调试好了，请将目录定位到/usr/local/etc
	编辑 strongswan.d/charon/eap-radius.conf

	eap-radius {
	accounting = yes
	load = yes
	dae {
	enable = yes
	listen = 0.0.0.0
	port = 3799
	}

	forward {

	}
	servers {
	server-a {
	secret = enter your radius secrets
	address = enter your radius server IP
	auth_port = 1812
	acct_port = 1813
	}
	}
	xauth {

	}
	}

	然后编辑ipsec.conf

	config setup
	uniqueids=never

	conn iOS_xauth_psk
	keyexchange=ikev1
	fragmentation=yes
	ikelifetime = 12h
	lifetime = 12h
	rekey = yes
	left=%defaultroute
	leftauth=psk
	leftsubnet=0.0.0.0/0
	right=%any
	rightauth=psk
	rightauth2=xauth-radius
	rightsourceip=10.90.0.0/24
	auto=add

	conn android_xauth_psk
	keyexchange=ikev1
	ikelifetime = 12h
	aggressive = yes
	lifetime = 12h
	rekey = yes
	left=%defaultroute
	leftauth=psk
	leftsubnet=0.0.0.0/0
	right=%any
	rightauth=psk
	rightauth2=xauth-radius
	rightsourceip=10.90.0.0/24
	auto=add

	conn networkmanager-strongswan
	keyexchange=ikev2
	ikelifetime = 12h
	lifetime = 12h
	rekey = yes
	left=%defaultroute
	leftauth=pubkey
	leftsubnet=0.0.0.0/0
	leftcert=server.cert.pem
	right=%any
	rightauth=pubkey
	rightsourceip=10.90.0.0/24
	rightcert=client.cert.pem
	auto=add

	conn windows7
	keyexchange=ikev2
	ike=aes256-sha1-modp1024!
	rekey=no
	ikelifetime = 12h
	lifetime = 12h
	rekey = yes
	left=%defaultroute
	leftauth=pubkey
	leftsubnet=0.0.0.0/0
	leftcert=server.cert.pem
	right=%any
	rightauth=eap-mschapv2
	rightsourceip=10.90.0.0/24
	rightsendcert=never
	eap_identity=%any
	auto=add

	conn L2TP-PSK
	keyexchange=ikev1
	authby=secret
	ikelifetime = 12h
	lifetime = 12h
	rekey = yes
	leftprotoport=17/1701
	leftfirewall=no
	rightprotoport=17/%any
	type=transport
	auto=add

	将代码修改成上面的配置即可。
	rightsourceip可以改成你想要的网段。
	android使用ipsec vpn验证和ios的差不多，但是要多一个agreessive = yes ，不然无法连接服务器。