mdpuma/androidv2 conn

## androidv2 conn
conn %default
        keyexchange=ikev2
        type=tunnel
        auto=add
#       ike=aes256-sha1-modp1024!
#       esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        fragmentation=yes
        left=%any
        leftsubnet=0.0.0.0/0
        right=%any
        rightdns=192.168.5.205 # push DNS server to roadwarrior
        rightsourceip=10.9.0.0/24
	ike = aes256-sha1-modp1024

conn androidv1
	authby=xauthpsk
	xauth = server
	keyexchange=ikev1

conn androidv2
        leftauth=pubkey
        leftcert=/etc/ipsec.d/issued/46.102.154.5.crt
        leftid=46.102.154.5
        rightauth=pubkey
        rightauth2=eap-mschapv2

        eap_identity=%any

conn win7
        leftauth=pubkey # authenticate gateway to roadwarrior by public key
        leftcert=/etc/ipsec.d/issued/46.102.154.5.crt # pubkey
        leftid=46.102.154.5 # pubkey id
        rightauth=eap-mschapv2 # how roadwarrior do authentication at gateway

        eap_identity=%any # allow any EAP identity
        rekey=no # do not do rekey
	ike = aes256-sha1-modp1024

## check_modules.sh
#!/bin/sh

if [ -f "/boot/config-`uname -r`" ]; then
      grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
      grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
      grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
      grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
      grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
      grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`
fi

if [ -f "/proc/config.gz" ]; then
      zgrep '\<CONFIG_XFRM_USER\>' /proc/config.gz
      zgrep '\<CONFIG_NET_KEY\>' /proc/config.gz
      zgrep '\<CONFIG_INET\>' /proc/config.gz
      zgrep '\<CONFIG_IP_ADVANCED_ROUTER\>' /proc/config.gz
      zgrep '\<CONFIG_IP_MULTIPLE_TABLES\>' /proc/config.gz
      zgrep '\<CONFIG_INET_AH\>' /proc/config.gz
      zgrep '\<CONFIG_INET_ESP\>' /proc/config.gz
      zgrep '\<CONFIG_INET_IPCOMP\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /proc/config.gz
      zgrep '\<CONFIG_INET_XFRM_MODE_BEET\>' /proc/config.gz
      zgrep '\<CONFIG_IPV6\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_AH\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_ESP\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_IPCOMP\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /proc/config.gz
      zgrep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /proc/config.gz
      zgrep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER_XTABLES\>' /proc/config.gz
      zgrep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /proc/config.gz
fi

## gen server key
#!/bin/bash

NAME=46.102.154.5
CA=/etc/ipsec.d/ca.crt
CAKEY=/etc/ipsec.d/private/ca.key
CRL=/etc/ipsec.d/crls/crl.pem

# begin generate & sign ca
ipsec pki --gen --outform pem > $CAKEY
ipsec pki --self --in $CAKEY --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > $CA
ipsec pki --signcrl --cacert $CA --cakey $CAKEY --outform pem > $CRL
# end generate & sign ca

# begin generate server key
ipsec pki --gen --outform pem > /etc/ipsec.d/private/$NAME.key
ipsec pki --pub --in /etc/ipsec.d/private/$NAME.key | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --san $NAME --flag serverAuth --outform pem > /etc/ipsec.d/issued/$NAME.crt
# end generate server key

# begin generate client key
NAME=client1
CERT=/etc/ipsec.d/issued/$NAME.crt
PRIVATE=/etc/ipsec.d/private/$NAME.key
CA=/etc/ipsec.d/ca.crt
CAKEY=/etc/ipsec.d/private/ca.key
P12=/etc/ipsec.d/$NAME.p12

ipsec pki --gen --outform pem > $PRIVATE
ipsec pki --pub --in $PRIVATE | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT
# end generate client key

# export p12 with client cert,key and ca key
openssl pkcs12 -export -inkey $PRIVATE -in $CERT -name "$NAME" -certfile $CA -caname "strongSwan Root CA" -out $P12

## generate_user.sh
#!/bin/bash

source config.sh

if [ -z $1 ] || [ -z $2 ]; then
	echo "usage $0 username password"
	exit 1
fi

NAME=$1
CERT=/etc/ipsec.d/issued/$NAME.crt
PRIVATE=/etc/ipsec.d/private/$NAME.key
CA=/etc/ipsec.d/ca.crt
CAKEY=/etc/ipsec.d/private/ca.key
P12=/etc/ipsec.d/$NAME.p12

ipsec pki --gen --outform pem > $PRIVATE
ipsec pki --pub --in $PRIVATE | ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT


echo "Insert:"
echo
echo $1 : EAP \"$2\"
echo $1 : XAUTH \"$2\"
echo
echo "in to /etc/ipsec.secrets"

## ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

 : RSA /etc/ipsec.d/private/185.181.228.161.key
 : PSK 7ab91da3cffab70dd25191e7a81edc3c

test : EAP "test"
test : XAUTH "test"

## linux client act as windows7
conn icinga
  left=local
  leftsourceip=%config
  leftauth=eap
  leftfirewall=yes
  right=46.102.154.5
  rightauth=pubkey
  rightsubnet=0.0.0.0/0
  eap_identity=puma
  auto=add
  fragmentation=yes


Also, you need to have present EAP password for selected eap_identity and ca.crt from server, located in /etc/ipsec.d/cacerts

## rc.local
#!/bin/bash


iptables -t nat -F
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -s 10.9.0.0/24  -j TCPMSS --set-mss 1360
iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens18 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens19 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.ip_no_pmtu_disc=1
	conn %default
	keyexchange=ikev2
	type=tunnel
	auto=add
	# ike=aes256-sha1-modp1024!
	# esp=aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	fragmentation=yes
	left=%any
	leftsubnet=0.0.0.0/0
	right=%any
	rightdns=192.168.5.205 # push DNS server to roadwarrior
	rightsourceip=10.9.0.0/24
	ike = aes256-sha1-modp1024

	conn androidv1
	authby=xauthpsk
	xauth = server
	keyexchange=ikev1

	conn androidv2
	leftauth=pubkey
	leftcert=/etc/ipsec.d/issued/46.102.154.5.crt
	leftid=46.102.154.5
	rightauth=pubkey
	rightauth2=eap-mschapv2

	eap_identity=%any

	conn win7
	leftauth=pubkey # authenticate gateway to roadwarrior by public key
	leftcert=/etc/ipsec.d/issued/46.102.154.5.crt # pubkey
	leftid=46.102.154.5 # pubkey id
	rightauth=eap-mschapv2 # how roadwarrior do authentication at gateway

	eap_identity=%any # allow any EAP identity
	rekey=no # do not do rekey
	ike = aes256-sha1-modp1024
	#!/bin/sh

	if [ -f "/boot/config-`uname -r`" ]; then
	grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
	grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
	grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
	grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
	grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
	grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`
	fi

	if [ -f "/proc/config.gz" ]; then
	zgrep '\<CONFIG_XFRM_USER\>' /proc/config.gz
	zgrep '\<CONFIG_NET_KEY\>' /proc/config.gz
	zgrep '\<CONFIG_INET\>' /proc/config.gz
	zgrep '\<CONFIG_IP_ADVANCED_ROUTER\>' /proc/config.gz
	zgrep '\<CONFIG_IP_MULTIPLE_TABLES\>' /proc/config.gz
	zgrep '\<CONFIG_INET_AH\>' /proc/config.gz
	zgrep '\<CONFIG_INET_ESP\>' /proc/config.gz
	zgrep '\<CONFIG_INET_IPCOMP\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /proc/config.gz
	zgrep '\<CONFIG_INET_XFRM_MODE_BEET\>' /proc/config.gz
	zgrep '\<CONFIG_IPV6\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_AH\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_ESP\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_IPCOMP\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /proc/config.gz
	zgrep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /proc/config.gz
	zgrep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER_XTABLES\>' /proc/config.gz
	zgrep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /proc/config.gz
	fi
	#!/bin/bash

	NAME=46.102.154.5
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	CRL=/etc/ipsec.d/crls/crl.pem

	# begin generate & sign ca
	ipsec pki --gen --outform pem > $CAKEY
	ipsec pki --self --in $CAKEY --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > $CA
	ipsec pki --signcrl --cacert $CA --cakey $CAKEY --outform pem > $CRL
	# end generate & sign ca

	# begin generate server key
	ipsec pki --gen --outform pem > /etc/ipsec.d/private/$NAME.key
	ipsec pki --pub --in /etc/ipsec.d/private/$NAME.key \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --san $NAME --flag serverAuth --outform pem > /etc/ipsec.d/issued/$NAME.crt
	# end generate server key

	# begin generate client key
	NAME=client1
	CERT=/etc/ipsec.d/issued/$NAME.crt
	PRIVATE=/etc/ipsec.d/private/$NAME.key
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	P12=/etc/ipsec.d/$NAME.p12

	ipsec pki --gen --outform pem > $PRIVATE
	ipsec pki --pub --in $PRIVATE \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT
	# end generate client key

	# export p12 with client cert,key and ca key
	openssl pkcs12 -export -inkey $PRIVATE -in $CERT -name "$NAME" -certfile $CA -caname "strongSwan Root CA" -out $P12
	#!/bin/bash

	source config.sh

	if [ -z $1 ] \|\| [ -z $2 ]; then
	echo "usage $0 username password"
	exit 1
	fi

	NAME=$1
	CERT=/etc/ipsec.d/issued/$NAME.crt
	PRIVATE=/etc/ipsec.d/private/$NAME.key
	CA=/etc/ipsec.d/ca.crt
	CAKEY=/etc/ipsec.d/private/ca.key
	P12=/etc/ipsec.d/$NAME.p12

	ipsec pki --gen --outform pem > $PRIVATE
	ipsec pki --pub --in $PRIVATE \| ipsec pki --issue --cacert $CA --cakey $CAKEY --dn "C=MD, O=strongSwan, CN=$NAME" --outform pem > $CERT


	echo "Insert:"
	echo
	echo $1 : EAP \"$2\"
	echo $1 : XAUTH \"$2\"
	echo
	echo "in to /etc/ipsec.secrets"
	# This file holds shared secrets or RSA private keys for authentication.

	# RSA private key for this host, authenticating it to any other host
	# which knows the public part.

	: RSA /etc/ipsec.d/private/185.181.228.161.key
	: PSK 7ab91da3cffab70dd25191e7a81edc3c

	test : EAP "test"
	test : XAUTH "test"
	conn icinga
	left=local
	leftsourceip=%config
	leftauth=eap
	leftfirewall=yes
	right=46.102.154.5
	rightauth=pubkey
	rightsubnet=0.0.0.0/0
	eap_identity=puma
	auto=add
	fragmentation=yes


	Also, you need to have present EAP password for selected eap_identity and ca.crt from server, located in /etc/ipsec.d/cacerts
	#!/bin/bash


	iptables -t nat -F
	iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -s 10.9.0.0/24 -j TCPMSS --set-mss 1360
	iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens18 -j MASQUERADE
	iptables -t nat -I POSTROUTING -s 10.9.0.0/24 --match policy --pol none --dir out -o ens19 -j MASQUERADE
	sysctl -w net.ipv4.ip_forward=1
	sysctl -w net.ipv4.ip_no_pmtu_disc=1