Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
sudo apt-get install strongswan libstrongswan-standard-plugins
: install strongSwan/etc/ipsec.d/certs
: copy <name>.crt
from algo-master/configs/<server_ip>/ipsec/.pki/certs/<name>.crt
/etc/ipsec.d/private
: copy <name>.key
from algo-master/configs/<server_ip>/ipsec/.pki/private/<name>.key
/etc/ipsec.d/cacerts
: copy cacert.pem
from algo-master/configs/<server_ip>/ipsec/manual/cacert.pem
/etc/ipsec.secrets
: add your user.key
to the list, e.g. <server_ip> : ECDSA <name>.key
/etc/ipsec.conf
: add the connection from ipsec_user.conf
and ensure leftcert
matches the <name>.crt
filenamesudo ipsec restart
: pick up config changessudo ipsec up <conn-name>
: start the ipsec tunnelsudo ipsec down <conn-name>
: shutdown the ipsec tunnelOne common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to /etc/ipsec.conf
:
conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
To configure the connection to come up at boot time replace auto=add
with auto=start
.
If you use a system with SELinux enabled you might need to set appropriate file contexts:
semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?"
restorecon -R -v $(pwd)
See this comment.