- Download strongswan
https://www.strongswan.org/download.html
sudo apt-get update
sudo apt-get install build-essential libgmp3-dev
tar xvf strongswan.tar.gz
cd strongswan
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-md4
make
sudo make install
- Configuration
# /usr/local/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
charondebug = ike 2, cfg 2
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
compress=yes
### left - local (server) side
# filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
### right - remote (client) side
### ---------------------------------
### eap_identity=%identity
### rightsourceip=10.79.1.0/24
### rightdns=8.8.8.8
### ----------------------------------
eap_identity=%identity
rightsourceip=
rightdns=8.8.8.8
conn ikev2-mschapv2
rightauth=eap-mschapv2
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=vpn.nicedoaminbro.com
# /usr/local/etc/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
# filename of private key located in /etc/strongswan/ipsec.d/private/
: RSA privkey.pem
# syntax is `username : EAP "plaintextpassword"`
john : EAP "iamapassword"
sudo iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o ens33 -j MASQUERADE
of course, don't forget to set
# /etc/sysctl.conf
net.ipv4.ip_forward=1