Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
sudo apt-get install strongswan libstrongswan-standard-plugins: install strongSwan
/etc/ipsec.secrets: add your
user.keyto the list, e.g.
<server_ip> : ECDSA <name>.key
/etc/ipsec.conf: add the connection from
sudo ipsec restart: pick up config changes
sudo ipsec up <conn-name>: start the ipsec tunnel
sudo ipsec down <conn-name>: shutdown the ipsec tunnel
One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to
conn lan-passthrough leftsubnet=192.168.1.1/24 # Replace with your LAN subnet rightsubnet=192.168.1.1/24 # Replace with your LAN subnet authby=never # No authentication necessary type=pass # passthrough auto=route # no need to ipsec up lan-passthrough
To configure the connection to come up at boot time replace
If you use a system with SELinux enabled you might need to set appropriate file contexts:
semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?" restorecon -R -v $(pwd)
See this comment.