Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
sudo apt-get install strongswan libstrongswan-standard-plugins
: install strongSwan/etc/ipsec.d/certs
: copy<name>.crt
fromalgo-master/configs/<server_ip>/ipsec/manual/<name>.crt
/etc/ipsec.d/private
: copy<name>.key
fromalgo-master/configs/<server_ip>/ipsec/manual/<name>.key
/etc/ipsec.d/cacerts
: copycacert.pem
fromalgo-master/configs/<server_ip>/ipsec/manual/cacert.pem
/etc/ipsec.secrets
: add youruser.key
to the list, e.g.<server_ip> : ECDSA <name>.key
/etc/ipsec.conf
: add the connection fromipsec_user.conf
and ensureleftcert
matches the<name>.crt
filenamesudo ipsec restart
: pick up config changessudo ipsec up <conn-name>
: start the ipsec tunnelsudo ipsec down <conn-name>
: shutdown the ipsec tunnel
One common use case is to let your server access your local LAN without going through the VPN. Set up a passthrough connection by adding the following to /etc/ipsec.conf
:
conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
To configure the connection to come up at boot time replace auto=add
with auto=start
.
If you use a system with SELinux enabled you might need to set appropriate file contexts:
semanage fcontext -a -t ipsec_key_file_t "$(pwd)(/.*)?"
restorecon -R -v $(pwd)
See this comment.