Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
sudo apt-get install strongswan libstrongswan-standard-plugins: install strongSwan/etc/ipsec.d/certs: copy <name>.crt from algo-master/configs/<server_ip>/ipsec/.pki/certs/<name>.crt/etc/ipsec.d/private: copy <name>.key from algo-master/configs/<server_ip>/ipsec/.pki/private/<name>.key/etc/ipsec.d/cacerts: copy cacert.pem from algo-master/configs/<server_ip>/ipsec/manual/cacert.pem/etc/ipsec.secrets: add your user.key to the list, e.g. <server_ip> : ECDSA <name>.key/etc/ipsec.conf: add the connection from ipsec_user.conf and ensure leftcert matches the <name>.crt filenamesudo ipsec restart: pick up config changessudo ipsec up <conn-name>: start the ipsec tunnelsudo ipsec down <conn-name>: shutdown the ipsec tunnelOne common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to /etc/ipsec.conf:
conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
To configure the connection to come up at boot time replace auto=add with auto=start.
If you use a system with SELinux enabled you might need to set appropriate file contexts:
semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?"
restorecon -R -v $(pwd)
See this comment.