strongSwan IKEv2 configurations for iOS without certificate

command.sh

# Download strongSwan
wget https://download.strongswan.org/strongswan-5.3.3.tar.gz 

# Extract and uncompress
tar -vzxf strongswan-5.3.3.tar.gz

cd strongswan-5.3.3

# Configure
./configure --prefix=/usr --sysconfdir=/etc  --enable-openssl --enable-nat-transport --disable-mysql --disable-ldap  --disable-static --enable-shared --enable-md4 --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2  --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls

# Make & install
make && make install

# IPSec start
ipsec start

# IPSec reload configuration
ipsec reload

# IPSec reload secrets
ipsec rereadsecrets

# IPSec stop
ipsec stop

IKEv2.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IKEv2</key>
			<dict>
				<key>AuthName</key>
				<string>{username}</string>
				<key>AuthPassword</key>
				<string>{password}</string>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>ChildSecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>2</integer>
					<key>EncryptionAlgorithm</key>
					<string>3DES</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA1-96</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>ExtendedAuthEnabled</key>
				<true/>
				<key>IKESecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>2</integer>
					<key>EncryptionAlgorithm</key>
					<string>3DES</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA1-96</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>LocalIdentifier</key>
				<string>{rightid}</string>
				<key>RemoteAddress</key>
				<string>{your_server_address}</string>
				<key>RemoteIdentifier</key>
				<string>{leftid}</string>
				<key>SharedSecret</key>
				<string>{your_psk}</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>1</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.FBFBDEF8-5B16-4863-91C1-7E2A68F848A3</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>425A1628-E99B-4547-966E-5B967CF1F5EA</string>
			<key>PayloadVersion</key>
			<real>1</real>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>JP</string>
			<key>VPNType</key>
			<string>IKEv2</string>
			<key>VendorConfig</key>
			<dict/>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>IKEv2</string>
	<key>PayloadIdentifier</key>
	<string>C7918ABA-8DE8-40ED-A3AE-994CD40ACE22</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>9697F3C2-FF20-4981-A0C4-AA36BA78EEEA</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

ip_table.sh

#!/bin/bash

# Add ip tables

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.99.1.0/24 -j ACCEPT 

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	strictcrlpolicy=no
	uniqueids = no

# IKEv2 for iOS

conn iOS-IKEV2
	auto=add
	dpdaction=clear
	keyexchange=ikev2

	#left
	left=%any
	leftsubnet=0.0.0.0/0
	leftauth=psk
	leftid=im.zorro.ipsec.server

	#right
	right=%any
	rightsourceip=10.99.1.0/24
	rightauth=eap-mschapv2
	rightid=im.zorro.ipsec.client

ipsec.secrets

: PSK yourpresharedkey
u1 : EAP "password"
u2 : EAP "password"

strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
	load_modular = yes

	dns1 = 8.8.8.8
	dns2 = 8.8.4.4

	plugins {
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf

Do you have any problems with LifeTimeInMinutes rekey?

@zhovner no, the default value seems all right.

可以连上pvn， 但是无法打开任何网页，请问可能是什么原因？
谢谢

@cuitao3000 IP table 配对了？

ios leftid填什么？