dan
/
docs
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
docs/mindstab.net_blog/references/strongswan/www.zeitgeist.se/2013/11/22/strongswan-howto-create-you.../index.html

2990 lines
152 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en-US" prefix="og: http://ogp.me/ns#">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width" />
<title>strongSwan 5: How to create your own private VPN | Zeitgeist</title>
<link rel="profile" href="http://gmpg.org/xfn/11" />
<!-- This site is optimized with the Yoast SEO plugin v2.3.5 - https://yoast.com/wordpress/plugins/seo/ -->
<meta name="description" content="A step by step guide on how to install strongSwan 5 VPN, allowing you to stop eavesdroppers and to bypass geo-restrictions."/>
<link rel="canonical" href="index.html" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="strongSwan 5: How to create your own private VPN | Zeitgeist" />
<meta property="og:description" content="A step by step guide on how to install strongSwan 5 VPN, allowing you to stop eavesdroppers and to bypass geo-restrictions." />
<meta property="og:url" content="https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/" />
<meta property="og:site_name" content="Zeitgeist" />
<meta property="article:tag" content="certificates" />
<meta property="article:tag" content="ipsec" />
<meta property="article:tag" content="strongswan" />
<meta property="article:tag" content="vpn" />
<meta property="article:section" content="Linux" />
<meta property="article:published_time" content="2013-11-22T15:41:41+00:00" />
<meta property="article:modified_time" content="2014-11-02T11:32:38+00:00" />
<meta property="og:updated_time" content="2014-11-02T11:32:38+00:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:description" content="A step by step guide on how to install strongSwan 5 VPN, allowing you to stop eavesdroppers and to bypass geo-restrictions."/>
<meta name="twitter:title" content="strongSwan 5: How to create your own private VPN | Zeitgeist"/>
<meta name="twitter:site" content="@zeitgeistse"/>
<meta name="twitter:domain" content="Zeitgeist"/>
<meta name="twitter:creator" content="@zeitgeistse"/>
<!-- / Yoast SEO plugin. -->
<link rel='stylesheet' id='prismjs-css' href='../../../../../cdn.zeitgeist.se/wp-content/plugins/mr-prism/lib/prism.css' type='text/css' media='all' />
<link rel='stylesheet' id='aldus-style-css' href='../../../../../cdn.zeitgeist.se/wp-content/themes/aldus/style.css' type='text/css' media='all' />
<link rel='stylesheet' id='aldus-fonts-css' href='../../../../../fonts.googleapis.com/css?family=Lora:400,700,400italic,700italic&amp;subset=latin' type='text/css' media='all' />
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-includes/js/jquery/jquery.js'></script>
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-includes/js/jquery/jquery-migrate.min.js'></script>
<!-- BEGIN GADWP v4.8.3 Universal Tracking - https://deconf.com/google-analytics-dashboard-wordpress/ -->
<script type="text/javascript">
(function($){
$(window).load(function() {
//Track Downloads
$('a').filter(function() {
return this.href.match(/.*\.(zip|ra*|mp*|avi|flv|mpeg|pdf|doc*|ppt*|xls*|jp*|png|gif|tiff|bmp|txt|xml)(\?.*)?$/);
}).click(function(e) {
ga('send','event', 'download', 'click', this.href, {'nonInteraction': 1});
});
//Track Mailto
$('a[href^="mailto"]').click(function(e) {
ga('send','event', 'email', 'send', this.href, {'nonInteraction': 1});
});
//Track Outbound Links
$('a[href^="http"]').filter(function() {
if (!this.href.match(/.*\.(zip|ra*|mp*|avi|flv|mpeg|pdf|doc*|ppt*|xls*|jp*|png|gif|tiff|bmp|txt|xml)(\?.*)?$/)){
if (this.href.indexOf('zeitgeist.se') == -1) return this.href;
}
}).click(function(e) {
ga('send','event', 'outbound', 'click', this.href, {'nonInteraction': 1});
});
});
})(jQuery);
</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-50027134-1', 'auto');
ga('require', 'linkid', 'linkid.js');
ga('send', 'pageview');
</script>
<!-- END GADWP Universal Tracking -->
</head>
<body class="single single-post postid-4 single-format-standard">
<div id="page" class="hfeed site">
<header id="masthead" class="site-header" role="banner">
<div class="site-branding">
<h1 class="site-title"><a href="https://www.zeitgeist.se/" title="Zeitgeist" rel="home">Zeitgeist</a></h1>
<h2 class="site-description">Stuff that sets my geek heart aflutter</h2>
</div>
<nav id="site-navigation" class="navigation-main" role="navigation">
<h3 class="menu-toggle">Menu</h3>
<a class="screen-reader-text skip-link" href="index.html#content" title="Skip to content">Skip to content</a>
<div class="menu-menu-1-container"><ul id="menu-menu-1" class="menu"><li id="menu-item-866" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-866"><a href="https://www.zeitgeist.se/">Home</a></li>
<li id="menu-item-17" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-17"><a href="https://www.zeitgeist.se/contact/">Contact</a></li>
</ul></div> </nav><!-- #site-navigation -->
</header><!-- #masthead -->
<div id="main" class="site-main">
<div id="primary" class="content-area">
<div id="content" class="site-content" role="main">
<article id="post-4" class="post-4 post type-post status-publish format-standard hentry category-linux category-security tag-certificates tag-ipsec tag-strongswan tag-vpn">
<header class="entry-header">
<h1 class="entry-title"><a href="index.html" rel="bookmark">strongSwan 5: How to create your own private VPN</a></h1>
</header><!-- .entry-header -->
<div class="entry-content">
<p><em><strong>Update 04/20/2014:</strong> Adjusted to take into account the modular configuration layout introduced in strongSwan 5.1.2. Tweaked cipher settings to provide perfect forward secrecy if <a title="IPSec Fail: Perfect Forward Secrecy, Where Art Thou?" href="https://www.zeitgeist.se/2014/04/18/ipsec-fail-perfect-forward-secrecy-where-art-thou/">supported by the client</a>.</em></p>
<p>This article is a step by step guide on how to prepare strongSwan 5 to run your own private VPN, allowing you to stop snoopers from spying on your online activities, to bypass geo-restrictions, and to circumvent overzealous firewalls.</p>
<p><span id="more-4"></span></p>
<p><a title="Strongswan Website" href="http://www.strongswan.org/" target="_blank">strongSwan</a> is a modern and complete IPsec implementation with full support for IKEv1 and IKEv2. It&#8217;s natively supported by most modern clients, including Linux, Windows 7, Apple iOS, Mac OSX, FreeBSD and BlackBerry OS.</p>
<p>If you wonder why I chose strongSwan over Openswan, check out <a title="strongSwan versus Openswan" href="https://lists.strongswan.org/pipermail/users/2010-September/000745.html" target="_blank">this post</a> from strongSwan maintainer Prof. Andreas Steffen (yes, it&#8217;s biased and dated, but I find it convincing nonetheless).</p>
<p>Throughout this post I assume that you&#8217;re using Debian Wheezy. If you don&#8217;t &#8211; don&#8217;t worry. It should be easy to follow the guide even if you favor another Linux distribution.</p>
<h3>Installation</h3>
<p>Debian Wheezy ships with strongSwan 4.5.2. I prefer strongSwan 5, the new mainline branch, which <a title="Bye Bye Pluto!" href="http://www.strongswan.org/blog/2012/06/20/bye-bye-pluto.html" target="_blank">got rid of Pluto</a> in favor of a single daemon, charon, to handle both IKEv1 and IKEv2. Instead of installing from source, let&#8217;s get a copy from <a title="Debian Backports" href="http://backports.debian.org/" target="_blank">wheezy-backports</a>, which includes strongSwan 5.1.2 from Debian testing recompiled for Wheezy.</p>
<h4>Add wheezy-backports to your APT repository</h4>
<pre><code class="language-bash">$ echo "deb http://ftp.debian.org/debian wheezy-backports main" \
&gt; /etc/apt/sources.list.d/wheezy-backports.list
$ apt-get update</code></pre>
<h4>Install strongSwan</h4>
<pre><code class="language-bash">$ apt-get -t wheezy-backports install strongswan libcharon-extra-plugins</code></pre>
<p>This installs the strongSwan package along with its dependencies (there are only a few). To determine that you&#8217;re running the right version, do:</p>
<pre><code class="language-bash">$ ipsec version</code></pre>
<p>Output:</p>
<pre><code class="language-bash">Linux strongSwan U5.1.2/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.</code></pre>
<p>Excellent &#8211; you&#8217;re now running strongSwan 5.1.2 on Linux kernel 3.2.0.</p>
<h3>Certificate generation</h3>
<h4>Create your certification authority (CA)</h4>
<p>The first step is to generate the X.509 certificates, including a certificate authority (CA), a server certificate, and at least one client certificate.</p>
<p>Let&#8217;s start by creating a self-signed root CA certificate.</p>
<pre class="line-numbers"><code class="language-bash">$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 4096 \
--outform pem \
&gt; private/strongswanKey.pem
$ chmod 600 private/strongswanKey.pem
$ ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type rsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
&gt; cacerts/strongswanCert.pem</code></pre>
<p>The result is a 4096 bit RSA private key <code class="language-bash">strongswanKey.pem</code> (line 4) and a self-signed CA certificate <code class="language-bash">strongswanCert.pem</code> (line 10) with a validity of 10 years (3650 days). The files are stored in PEM encoded format (I prefer working with PEM over binary DER, the strongSwan default).</p>
<p>You can change the Distinguished Name (DN) to more relevant values for country (C), organization (O), and common name (CN), but you don&#8217;t have to.</p>
<p>To list the properties of your newly generated certificate, type in the following command:</p>
<pre><code class="language-bash">$ ipsec pki --print --in cacerts/strongswanCert.pem</code></pre>
<p>Output:</p>
<pre><code class="language-bash">cert: X509
subject: "C=CH, O=strongSwan, CN=strongSwan Root CA"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Nov 22 11:55:41 2013, ok
not after Nov 20 11:55:41 2023, ok (expires in 3649 days)
serial: 65:39:93:df:a0:f8:40:03
flags: CA CRLSign self-signed
authkeyId: 45:30:11:da:a4:0e:0b:0a:a3:41:a5:81:41:ab:d8:04:7a:40:6c:c0
subjkeyId: 45:30:11:da:a4:0e:0b:0a:a3:41:a5:81:41:ab:d8:04:7a:40:6c:c0
pubkey: RSA 4096 bits
keyid: dc:15:91:95:04:07:a5:13:69:5f:77:65:26:d7:02:3f:60:ec:73:c8
subjkey: 45:30:11:da:a4:0e:0b:0a:a3:41:a5:81:41:ab:d8:04:7a:40:6c:c0</code></pre>
<h4>Create your VPN host certificate</h4>
<pre class="line-numbers"><code class="language-bash">$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
&gt; private/vpnHostKey.pem
$ chmod 600 private/vpnHostKey.pem
$ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=vpn.zeitgeist.se" \
--san vpn.zeitgeist.se \
--flag serverAuth --flag ikeIntermediate \
--outform pem &gt; certs/vpnHostCert.pem</code></pre>
<p>The result is a 2048 bit RSA private key <code class="language-bash">vpnHostKey.pem</code> (line 4). In line 6 we extract its public key and pipe it over to issue <code class="language-bash">vpnHostCert.pem</code> (line 13), a host certificate signed by your CA. The certificate has a validity of two years (730 days). It identifies the VPN host by its Fully Qualified Domain Name (FQDN) (here: vpn.zeitgeist.se).</p>
<p><strong>Important</strong>: The domain name or IP address of your VPN server, which is later entered in the client&#8217;s connection properties, <strong>MUST</strong> be contained either in the <em>subject Distinguished Name</em> (here in CN, line 10) and/or in a <em>subject Alternative Name</em> (line11). I prefer to include it in both. Make sure both times to replace vpn.zeitgeist.se with your VPN&#8217;s hostname &#8211; or else the connection between client and server will fail!</p>
<p><strong>Important: </strong>If you&#8217;re going to use the built-in VPN client of Windows 7, you <b>MUST</b> add the serverAuth extended key usage flag to your host certificate as shown above, or the client will refuse to connect.  In addition, OS X 10.7.3 or older requires the ikeIntermediate flag, which we also added here. Since the addition of these two flags probably won&#8217;t hurt anyone (as far as I know), you should make sure you keep them there.</p>
<p>Let&#8217;s take a look at the properties of our newly generated certificate.</p>
<pre><code class="language-bash">$ ipsec pki --print --in certs/vpnHostCert.pem</code></pre>
<p>Output:</p>
<pre><code class="language-bash">cert: X509
subject: "C=CH, O=strongSwan, CN=vpn.zeitgeist.se"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Nov 22 21:16:51 2013, ok
not after Nov 22 21:16:51 2015, ok (expires in 729 days)
serial: 0c:05:d7:d5:57:0e:d9:48
altNames: vpn.zeitgeist.se
flags: serverAuth iKEIntermediate
authkeyId: 9b:57:35:fb:cd:9e:2d:20:37:1d:61:4c:e7:c4:5b:5e:dc:64:ad:fc
subjkeyId: 5f:12:c2:06:ee:2b:1e:cc:5f:78:54:ff:f0:f3:7b:a0:2b:c0:b4:d6
pubkey: RSA 2048 bits
keyid: 6f:a7:99:60:27:27:09:96:02:c1:b9:d9:7d:c1:b0:10:e3:e1:d5:45
subjkey: 5f:12:c2:06:ee:2b:1e:cc:5f:78:54:ff:f0:f3:7b:a0:2b:c0:b4:d6</code></pre>
<h4>Create a client certificate</h4>
<p>Any client will require a personal certificate in order to use the VPN. The process is analogous to generating a host certificate, except that we identify a client certificate by the client&#8217;s e-mail address rather than a hostname.</p>
<pre class="line-numbers"><code class="language-bash">$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
&gt; private/AlexanderKey.pem
$ chmod 600 private/AlexanderKey.pem
$ ipsec pki --pub --in private/AlexanderKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=alexander@zeitgeist.se" \
--san alexander@zeitgeist.se \
--outform pem &gt; certs/AlexanderCert.pem</code></pre>
<p>The result is a 2048 bit RSA private key <code class="language-bash">AlexanderKey.pem</code> (line 4). In line 6 we extract its public key and pipe it over to issue <code class="language-bash">AlexanderCert.pem</code> (line 12), the first client certificate signed by your CA. The certificate has a validity of two years (730 days) and identifies the client by his e-mail address (here: alexander@zeitgeist.se).</p>
<h4>Export client certificate as a PKCS#12 file</h4>
<p>A VPN client needs a client certificate, its private key, and the signing CA certificate. The most convenient way is to put everything in a single signed PKCS#12 file and export it with a paraphrase.</p>
<pre><code class="language-bash">$ cd /etc/ipsec.d/
$ openssl pkcs12 -export -inkey private/AlexanderKey.pem \
-in certs/AlexanderCert.pem -name "Alexander's VPN Certificate" \
-certfile cacerts/strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Alexander.p12</code></pre>
<p>Now you can send Alexander.p12 and its export paraphrase to the person who&#8217;s going to install it onto the client. In some cases (iOS for example) you have to separately include the CA certificate <code class="language-bash">cacerts/strongswanCert.pem</code>.</p>
<h4>Revoke a certificate (if necessary)</h4>
<p>If a certificate is lost or stolen, it must be revoked so nobody can use it to connect to your VPN server. Assuming the certificate from the previous step got stolen, we revoke it with:</p>
<pre class="line-numbers"><code class="language-bash">$ cd /etc/ipsec.d/
$ ipsec pki --signcrl --reason key-compromise \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--cert certs/AlexanderCert.pem \
--outform pem &gt; crls/crl.pem</code></pre>
<p>This generates the new certificate revocation list (CRL) crls/crl.pem. When someone tries to authenticate with the stolen certificate, he&#8217;ll receive an authentication credentials error message, and your log file will contain something like:</p>
<pre><code class="language-bash">charon: 13[CFG] certificate was revoked
on Nov 24 17:34:40 UTC 2013, reason: key compromise</code></pre>
<p>To add another revoked certificate to the same list, we need to copy the existing list into a temporary file:</p>
<pre class="line-numbers"><code class="language-bash">$ cd /etc/ipsec.d/
$ cp crls/crl.pem crl.pem.tmp
$ ipsec pki --signcrl --reason key-compromise \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--cert certs/AnotherStolenCert.pem \
--lastcrl crl.pem.tmp \
--outform pem &gt; crls/crl.pem
$ rm crl.pem.tmp</code></pre>
<h4>Certificates &#8211; Recap</h4>
<p>So far you&#8217;ve created the following files:</p>
<pre><code class="language-bash">/etc/ipsec.d/private/strongswanKey.pem # CA private key
/etc/ipsec.d/cacerts/strongswanCert.pem # CA certificate
/etc/ipsec.d/private/vpnHostKey.pem # VPN host private key
/etc/ipsec.d/certs/vpnHostCert.pem # VPN host certificate
/etc/ipsec.d/private/AlexanderKey.pem # Client "Alexander" private key
/etc/ipsec.d/certs/AlexanderCert.pem # Client "Alexander" certificate
/etc/ipsec.d/Alexander.p12 # Client "Alexander" PKCS#12 file</code></pre>
<p>The private key <code class="language-bash">/etc/ipsec.d/private/strongswanKey.pem</code> of the CA should be <strong>moved somewhere safe</strong>, possibly to a special signing host without access to the Internet.  Theft of this master signing key would completely compromise your public key infrastructure.</p>
<h3>Server configuration</h3>
<p>Only three files are required for your strongSwan configuration:</p>
<ul>
<li><code class="language-bash">/etc/strongswan.conf</code>, which may point to a directory containing further <a title="strongSwan configuration directory" href="http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanDirectory" target="_blank">configuration snippets</a></li>
<li><code class="language-bash">/etc/ipsec.conf</code></li>
<li><code class="language-bash">/etc/ipsec.secrets</code></li>
</ul>
<p>Fortunately, the default strongSwan application configuration works just fine for us. For the purpose of this article there is nothing you need to do here. I invite you though to take a look at the strongSwan Wiki for a <a title="Wiki strongswan.conf" href="http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf" target="_blank">full list of configuration options</a> of strongswan.conf.</p>
<p>Let&#8217;s do the fun stuff. Here is my <code class="language-bash">/etc/ipsec.conf</code> file:</p>
<pre class="line-numbers"><code class="language-bash"># ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add</code></pre>
<p>This configuration has settings for three types of VPN services: IKEv2 + RSA certificate, IKEv2 + EAP, and IKEv1 + Xauth RSA, thus providing compatibility for a wide range of IPsec clients.</p>
<p>Let&#8217;s go briefly over the important items:</p>
<ul>
<li>line 4: (disabled here) by default only one client can connect at the same time with an identical certificate and/or password  combo; the newer connection will always replace the older (in other words, a new connecting client using the same credentials kicks out the older still connected client). If you don&#8217;t like this, for instance because you want to use the same client certificates on multiple clients <em>at the same time</em>, enable this option</li>
<li>line 5: slightly more verbose logging. Very useful for debugging. Check out <a title="Wiki LoggerConfiguration" href="http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" target="_blank">this link</a> for a full list of options.</li>
<li>line 7: individual conn sections inherit the settings from the conn %default section. Put everything in here that you would otherwise have to repeat in the other conn sections. Helps to keep your setting file more concise.</li>
<li>line 21: settings specific to IKEv2 + RSA certificate connections</li>
<li>line 25: settings specific to IKEv2 + EAP connections</li>
<li>line 31: settings specific to IKEv1 + Xauth RSA connections</li>
</ul>
<p>Your best resource for learning more about the available options is the <a title="Wiki IpsecConf" href="http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf" target="_blank">strongSwan Wiki</a>.</p>
<p>For now, if you like to enable your VPN server as quickly as possible, use above configuration as a template; only make sure to modify line 16 leftcert=vpnHostCert.pem to name your host VPN certificate instead.</p>
<p>Lastly, here is my <code class="language-bash">/etc/ipsec.secrets</code> file:</p>
<pre class="line-numbers"><code class="language-bash"># This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA vpnHostKey.pem
user1 : EAP "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"</code></pre>
<ul>
<li>line 8: identifies the private key of the VPN host to allow your host to authenticate itself with its host certificate</li>
<li>line 9: defines an EAP credential (username / password) that can be used by clients to connect without client certificate</li>
<li>line 10: defines an XAUTH credential (username / password) that is required in addition to a client certificate for IKEv1 + Xauth RSA connections (as used by Apple iOS clients for example)</li>
</ul>
<p>Whenever you edit <code class="language-bash">/etc/ipsec.secrets</code> while strongSwan is running, you must reload the file:</p>
<pre><code class="language-bash">$ ipsec rereadsecrets</code></pre>
<p>Once again, the strongSwan Wiki <a title="Wiki IpsecSecrets" href="http://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets" target="_blank">has all the details</a> if you are interested.</p>
<p>You&#8217;re almost done setting up your server. There are a few things left to make your VPN server properly route the VPN tunnel:</p>
<pre class="line-numbers"><code class="language-bash">$ echo 1 &gt; /proc/sys/net/ipv4/ip_forward
$ echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
$ echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects</code></pre>
<p>Or to make it permanent, add the following to your <code class="language-bash">/etc/sysctl.conf</code> file:</p>
<pre class="line-numbers"><code class="language-bash"># VPN
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0</code></pre>
<p>Use the following iptables rules (adjust the interface if yours isn&#8217;t eth0, and make sure to enter your VPN host IP where indicated):</p>
<pre class="line-numbers"><code class="language-bash">$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp \
-j SNAT --to-source &lt;your VPN host IP&gt;</code></pre>
<p>Speaking of iptables, if you have a restrictive firewall for incoming traffic, don&#8217;t forget to allow IPsec communications. Three rules are required:</p>
<pre class="line-numbers"><code class="language-bash">$ iptables -A INPUT -p udp --dport 500 --j ACCEPT
$ iptables -A INPUT -p udp --dport 4500 --j ACCEPT
$ iptables -A INPUT -p esp -j ACCEPT</code></pre>
<ul>
<li>line 1: for ISAKMP (handling of security associations)</li>
<li>line 2: for NAT-T (handling of IPsec between natted devices)</li>
<li>line 3: for ESP payload (the encrypted data packets)</li>
</ul>
<p>That&#8217;s it! Restart strongSwan and your VPN server is ready.</p>
<pre><code class="language-bash">$ service ipsec restart</code></pre>
<h3>Client configuration</h3>
<p>Of course you cannot do anything with until you&#8217;ve configured your clients. Instead of boring you with dull screenshots, here are the essential strongSwan Wiki articles describing how to configure IPsec clients for popular systems. Of course you can also Google for other howtos since the client configuration is mostly independent from the server software.</p>
<h4>Windows 7 with IKEv2 + RSA certificate</h4>
<ul>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs" target="_blank">Installing the certificate (client + CA)</a></li>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7Config" target="_blank">Configuring the built-in client</a></li>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect" target="_blank">Starting the VPN connection</a></li>
</ul>
<h4>Windows 7 with IKEv2 + EAP</h4>
<ul>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert" target="_blank">Installing the certificate (CA)</a></li>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapConfig" target="_blank">Configuring the build-in client</a></li>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect" target="_blank">Starting the VPN connection</a></li>
</ul>
<h4>Mac OS X / iOS</h4>
<ul>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/MacOSX" target="_blank">IKEv2 (using strongSwan client)</a></li>
<li><a href="http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)" target="_blank">IKEv1 (using native client)</a></li>
</ul>
<h3>Further reading</h3>
<ul>
<li><a title="strongSwan 5 not autostarting on Debian" href="https://www.zeitgeist.se/2013/11/27/strongswan-5-not-autostarting-on-debian/">strongSwan 5 not autostarting on Debian</a></li>
<li><a title="MTU woes in IPsec tunnels and how you can fix it" href="https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/">MTU woes in IPsec tunnels and how you can fix it</a></li>
<li><a title="Reconnect VPN upon resume from sleep (Windows)" href="https://www.zeitgeist.se/2013/12/11/reconnect-vpn-upon-resume-from-sleep-windows/">Reconnect VPN upon resume from sleep (Windows)</a></li>
<li><a title="Finding the optimal NAT Keepalive interval" href="https://www.zeitgeist.se/2013/11/27/the-optimal-nat-keepalive-interval/">Finding the optimal NAT Keepalive interval</a></li>
</ul>
</div><!-- .entry-content -->
<footer class="entry-meta">
<div class="entry-meta-date-links">
<time class="entry-date published" datetime="2013-11-22T15:41:41+00:00">November 22, 2013</time><time class="assistive-text updated" datetime="2014-11-02T11:32:38+00:00">November 2, 2014</time>
<span class="sep"> &#8226; </span>
<span class="author vcard">by <a class="url fn n" href="https://www.zeitgeist.se/author/alexander/" title="View all posts by Alexander Turcic" rel="author">Alexander Turcic</a></span> <span class="sep"> &#8226; </span>
<span class="permalink"><a href="index.html" rel="bookmark">&#8734;</a></span>
</div>
<div class="entry-categories-tags">
<p class="categories">Posted in: <a href="https://www.zeitgeist.se/category/linux/" rel="category tag">Linux</a>, <a href="https://www.zeitgeist.se/category/security/" rel="category tag">Security</a>
<p class="tags">Tagged: <a href="https://www.zeitgeist.se/tag/certificates/" rel="tag">certificates</a>, <a href="https://www.zeitgeist.se/tag/ipsec/" rel="tag">ipsec</a>, <a href="https://www.zeitgeist.se/tag/strongswan/" rel="tag">strongswan</a>, <a href="https://www.zeitgeist.se/tag/vpn/" rel="tag">vpn</a> </div>
</footer><!-- .entry-meta -->
</article><!-- #post-## -->
<nav class="navigation post-navigation" role="navigation">
<h1 class="screen-reader-text">Post navigation</h1>
<div class="nav-links">
<div class="nav-next"><a href="https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/" rel="next"><div class="arrow">&rarr;</div><div class="link">MTU woes in IPsec tunnels and how you can fix it</div></a></div>
</div><!-- .nav-links -->
</nav><!-- .navigation -->
<div id="comments" class="comments-area">
<h2 class="comments-title">
75 thoughts on &ldquo;<span>strongSwan 5: How to create your own private VPN</span>&rdquo; </h2>
<ol class="comment-list">
<li id="comment-27" class="comment even thread-even depth-1 parent">
<article id="div-comment-27" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Harri</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-27">
<time datetime="2014-02-21T15:16:52+00:00">
February 21, 2014 at 3:16 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Great documentation</p>
<p>About line 5 ipsec.conf: The link doesn&#8217;t seem right. Probably this is better: <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection" rel="nofollow">http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=27#respond' onclick='return addComment.moveForm( "div-comment-27", "27", "respond", "4" )' aria-label='Reply to Harri'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-28" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2">
<article id="div-comment-28" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-28">
<time datetime="2014-02-21T15:21:18+00:00">
February 21, 2014 at 3:21 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thanks Harri. Line 5 refers to the &#8220;charondebug&#8221; option, doesn&#8217;t it? I thought the link in the article would be appropriate, since it explains in more detail how to tweak debug output.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=28#respond' onclick='return addComment.moveForm( "div-comment-28", "28", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-29" class="comment even depth-2 parent">
<article id="div-comment-29" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Harri</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-29">
<time datetime="2014-02-21T15:22:54+00:00">
February 21, 2014 at 3:22 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>PS: The link &#8220;full list of configuration options&#8221; should be replaced, not the link pointing to the logger options. Sorry for the confusion.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=29#respond' onclick='return addComment.moveForm( "div-comment-29", "29", "respond", "4" )' aria-label='Reply to Harri'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-30" class="comment byuser comment-author-alexander bypostauthor odd alt depth-3">
<article id="div-comment-30" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-30">
<time datetime="2014-02-21T15:26:50+00:00">
February 21, 2014 at 3:26 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>No problem. 😉 The links refers to the documentation of strongswan.conf. I&#8217;ll edit the text to better clarify this. Thanks!</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=30#respond' onclick='return addComment.moveForm( "div-comment-30", "30", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-31" class="comment even thread-odd thread-alt depth-1 parent">
<article id="div-comment-31" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Harri</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-31">
<time datetime="2014-02-21T15:52:36+00:00">
February 21, 2014 at 3:52 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Question about the first iptables line: If I got this correctly, then outgoing traffic except for protocol esp is natted to the external IP address. Why is esp ignored here?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=31#respond' onclick='return addComment.moveForm( "div-comment-31", "31", "respond", "4" )' aria-label='Reply to Harri'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-32" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2">
<article id="div-comment-32" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-32">
<time datetime="2014-02-21T19:26:12+00:00">
February 21, 2014 at 7:26 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Good question. From my understanding, we should only create a Source NAT for non-ESP traffic that&#8217;s leaving the server. It&#8217;s not needed to masquerade IPsec-encapsulated packets which are send between the two ends of the tunnel. For example, on the server, once IPsec packets are deencapsulated, they will go through iptables anyway (and get mangled accordingly).</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=32#respond' onclick='return addComment.moveForm( "div-comment-32", "32", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-39" class="comment even thread-even depth-1 parent">
<article id="div-comment-39" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Harri</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-39">
<time datetime="2014-03-07T15:01:09+00:00">
March 7, 2014 at 3:01 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Anybody succeeded to setup a client on Linux (using the Network Manager GUI)?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=39#respond' onclick='return addComment.moveForm( "div-comment-39", "39", "respond", "4" )' aria-label='Reply to Harri'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-41" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2">
<article id="div-comment-41" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-41">
<time datetime="2014-03-07T19:46:48+00:00">
March 7, 2014 at 7:46 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Harry, I am not so much a GUI person, but I tried once using Strongswan with the Ubuntu Network Manager and it worked OK. I remember I had to do some tweaking to the configuration, but as a starting point (if you are using Ubuntu or Debian), you could try it with:</p>
<p>apt-get install network-manager-strongswan</p>
<p>More information over at the strongswan Wiki:</p>
<p><a href="http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager" rel="nofollow">http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=41#respond' onclick='return addComment.moveForm( "div-comment-41", "41", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-42" class="comment even thread-odd thread-alt depth-1">
<article id="div-comment-42" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Tom</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-42">
<time datetime="2014-03-09T23:24:16+00:00">
March 9, 2014 at 11:24 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thanks for the excellent guide. This works in running an IPsec/IKEv2 vpn connection from a blackberry z10 to my home debian server using the built in blackberry client.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=42#respond' onclick='return addComment.moveForm( "div-comment-42", "42", "respond", "4" )' aria-label='Reply to Tom'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-152" class="comment odd alt thread-even depth-1 parent">
<article id="div-comment-152" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Shandy</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-152">
<time datetime="2014-04-17T09:05:17+00:00">
April 17, 2014 at 9:05 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Excellent!But what should I do when my vps has only ipv6 address.<br />
And I do not understand the cert is which one while I choose the way &#8220;IKEV2 + EAP&#8221; on windows8.1 . Thank you.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=152#respond' onclick='return addComment.moveForm( "div-comment-152", "152", "respond", "4" )' aria-label='Reply to Shandy'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-235" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-235" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-235">
<time datetime="2014-04-27T20:14:02+00:00">
April 27, 2014 at 8:14 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Shandy, I haven&#8217;t tested it with IPv6 yet, but for IKEv2, you could check out the following example provided by the strongSwan folks: <a href="http://www.strongswan.org/uml/testresults/ipv6/rw-ikev2/" rel="nofollow">http://www.strongswan.org/uml/testresults/ipv6/rw-ikev2/</a></p>
<p>Specifically, check out the server configuration (<a href="http://www.strongswan.org/uml/testresults/ipv6/rw-ikev2/moon.ipsec.conf" rel="nofollow">http://www.strongswan.org/uml/testresults/ipv6/rw-ikev2/moon.ipsec.conf</a>) and the setting for leftsubnet.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=235#respond' onclick='return addComment.moveForm( "div-comment-235", "235", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-439" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-439" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Mack</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-439">
<time datetime="2014-07-17T13:48:49+00:00">
July 17, 2014 at 1:48 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,</p>
<p>Thanks for your tutorial, it&#8217;s very nice. However is it possible to config and setup a StrongSwan based L2tp VPN without any certificates and to only use username and password, and use, for example, freeradius to manage the users?</p>
<p>I&#8217;ve tried Google the above request however I can&#8217;t get some tutorials that I can use. Currently Openswan in Debian is almost like &#8220;dead&#8221;.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=439#respond' onclick='return addComment.moveForm( "div-comment-439", "439", "respond", "4" )' aria-label='Reply to Mack'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-442" class="comment byuser comment-author-alexander bypostauthor even depth-2 parent">
<article id="div-comment-442" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-442">
<time datetime="2014-07-17T14:31:32+00:00">
July 17, 2014 at 2:31 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Mack, unfortunately I don&#8217;t have experience with Radius, nor with setting up L2TP using Strongswan. Any reason you require L2TP over IPsec in Tunnel Mode with IKEv1 or IKEv2? This tutorial already includes the option to connect to authenticate to the VPN with the EAP-MSCHAPv2 protocol (i.e. without certificate).</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=442#respond' onclick='return addComment.moveForm( "div-comment-442", "442", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-446" class="comment odd alt depth-3 parent">
<article id="div-comment-446" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Mack</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-446">
<time datetime="2014-07-18T15:05:31+00:00">
July 18, 2014 at 3:05 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thank you Alaxander.<br />
The reason is to provide multi-platform friendly support. My friends and family members they know quite few about VPN so that the easier the better. However a combination usage of Android, iOS, Mac and PC that only built-in vpn client is satisfied enough. Though MSCHAP is ok in Win based OS however in scenario of iOS and Android, not that easy.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=446#respond' onclick='return addComment.moveForm( "div-comment-446", "446", "respond", "4" )' aria-label='Reply to Mack'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-454" class="comment byuser comment-author-alexander bypostauthor even depth-4">
<article id="div-comment-454" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-454">
<time datetime="2014-07-20T16:20:31+00:00">
July 20, 2014 at 4:20 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>You&#8217;re right regarding MSCHAP. I was going to suggest to try adding an entry for authentication with XAuth alone, but it appears that wouldn&#8217;t work well with iOS:</p>
<p><a href="https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)" rel="nofollow">https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)</a></p>
<p>&#8220;Authentication uses XAuth and certificates (authby=xauthrsasig). Authentication without certificates may fail due to an attempt on the iOS side to use aggressive mode.&#8221;</p>
<p>So yes, you may have to use a L2TP. If you try further, make sure to compile strongSwan with the nat-transport flag which is required if either server or any of your clients is behind a NAT (using L2TP).</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=454#respond' onclick='return addComment.moveForm( "div-comment-454", "454", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-440" class="comment odd alt thread-even depth-1 parent">
<article id="div-comment-440" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Powerkutte</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-440">
<time datetime="2014-07-17T14:17:32+00:00">
July 17, 2014 at 2:17 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi there, when doing<br />
&#8220;Export client certificate as a PKCS#12 file&#8221;<br />
openssl reports<br />
&#8220;unable to load certificates&#8221; but all files exists.</p>
<p>did i do something wrong or did you implent a small error i have to find?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=440#respond' onclick='return addComment.moveForm( "div-comment-440", "440", "respond", "4" )' aria-label='Reply to Powerkutte'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-441" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-441" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-441">
<time datetime="2014-07-17T14:25:34+00:00">
July 17, 2014 at 2:25 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi, I am fairly certain that there shouldn&#8217;t be a mistake in regard to exporting the client certificates. Did you make sure to run the comment from the right path (cd /etc/ipsec.d/)?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=441#respond' onclick='return addComment.moveForm( "div-comment-441", "441", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-456" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-456" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Ali</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-456">
<time datetime="2014-07-21T09:18:04+00:00">
July 21, 2014 at 9:18 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>This output is my ipsec status:<br />
___________________________<br />
Security Associations (1 up, 0 connecting):<br />
moon-sun[1]: ESTABLISHED 6 minutes ago, 10.2.11.177[C=ir, ST=teh, L=teh, O=teh, CN=moon.test.com]&#8230;10.2.11.186[C=ir, ST=esf, L=esf, O=esf, CN=sun.test.com]<br />
moon-sun{1}: INSTALLED, TUNNEL, ESP SPIs: c83fe250_i c1b06439_o<br />
moon-sun{1}: 10.2.11.177/32 === 10.2.11.186/32<br />
___________________________<br />
moon and sun are in same subnet and wirshark shows ESP packets which are transmit over this tunnel between moon and sun, but I have not connection,<br />
any idea? thanks</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=456#respond' onclick='return addComment.moveForm( "div-comment-456", "456", "respond", "4" )' aria-label='Reply to Ali'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-457" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-457" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-457">
<time datetime="2014-07-21T09:43:16+00:00">
July 21, 2014 at 9:43 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Ali, it seems you are using a completely different setup than the one posted in this howto? Your traffic selector is 10.2.11.177/32; if you want all IP traffic to be tunneled via 10.2.11.177, you should define leftsubnet=0.0.0.0/0.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=457#respond' onclick='return addComment.moveForm( "div-comment-457", "457", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-458" class="comment odd alt thread-even depth-1 parent">
<article id="div-comment-458" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Ali</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-458">
<time datetime="2014-07-21T09:55:20+00:00">
July 21, 2014 at 9:55 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>I don&#8217;t know what you mean when you are saying completely different, but if you would like to see my scenario and configurations on both of my servers, I can explain it to you,<br />
I got confused !! </p>
<p>moon &#8212;&#8212; sun<br />
10.2.11.77</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=458#respond' onclick='return addComment.moveForm( "div-comment-458", "458", "respond", "4" )' aria-label='Reply to Ali'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-460" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-460" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-460">
<time datetime="2014-07-21T10:05:24+00:00">
July 21, 2014 at 10:05 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Ali, the setup in this howto is meant to work as a &#8220;road warrior&#8221; configuration (dynamic clients connecting to the server and tunneling all Internet traffic through that server).</p>
<p>From your output it appears that you have a completely different scenario, namely a server-to-server or server-to-gateway setup. This is not part of this howto.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=460#respond' onclick='return addComment.moveForm( "div-comment-460", "460", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-459" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-459" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Ali</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-459">
<time datetime="2014-07-21T09:58:21+00:00">
July 21, 2014 at 9:58 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>moon &#8212;&#8212; sun<br />
10.2.11.77 10.2.11.186</p>
<p>both of server have certificate form another server,(they are rhel 6.4)</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=459#respond' onclick='return addComment.moveForm( "div-comment-459", "459", "respond", "4" )' aria-label='Reply to Ali'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-461" class="comment even thread-even depth-1">
<article id="div-comment-461" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Ali</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-461">
<time datetime="2014-07-21T10:16:09+00:00">
July 21, 2014 at 10:16 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>ok Alexander, I will welcome you if you either guide me or introduce any site which has correct solution, there are many sites but I cannot believe in their solutions :(((</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=461#respond' onclick='return addComment.moveForm( "div-comment-461", "461", "respond", "4" )' aria-label='Reply to Ali'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-494" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-494" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Chunso</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-494">
<time datetime="2014-08-04T16:48:19+00:00">
August 4, 2014 at 4:48 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>When writing the first iptables command</p>
<p>&#8220;iptables -t nat -A POSTROUTING -o eth1 ! -p esp -j SNAT &#8211;to-source &#8221; (eth1 is the correct interface in my case, my IP address is a IPv6 address unfortunately, and i didn&#8217;t do the permanent changes to /etc/sysctl.conf yet, but the 3 echo commands instead &#8211; i don&#8217;t know if any of this makes a difference),<br />
i get the following error:</p>
<p>&#8220;iptables v1.4.4 need tcp udp sctp or dccp with port specification&#8221;</p>
<p>Could you please tell me if i did something wrong, or what else to try?<br />
Thanks in advance</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=494#respond' onclick='return addComment.moveForm( "div-comment-494", "494", "respond", "4" )' aria-label='Reply to Chunso'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-1123" class="comment even thread-even depth-1">
<article id="div-comment-1123" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Val</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1123">
<time datetime="2014-10-08T12:42:01+00:00">
October 8, 2014 at 12:42 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thanks a lot for this splendid article!<br />
I&#8217;ve forked OpenVPN&#8217;s easy-rsa (v3) and added IPsec support into it<br />
<a href="https://github.com/ValdikSS/easy-rsa-ipsec" rel="nofollow">https://github.com/ValdikSS/easy-rsa-ipsec</a><br />
It&#8217;s a lot easier to maintain PKI now.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1123#respond' onclick='return addComment.moveForm( "div-comment-1123", "1123", "respond", "4" )' aria-label='Reply to Val'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-1130" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-1130" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Crandall</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1130">
<time datetime="2014-10-10T14:31:15+00:00">
October 10, 2014 at 2:31 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi, Alex,<br />
I followed your step by step guide.<br />
Finally I connected to VPN. But there is one problem. I can access google, youtube.<br />
But I can&#8217;t access twitter, facebook and many other sites.<br />
Do you have any suggestions?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1130#respond' onclick='return addComment.moveForm( "div-comment-1130", "1130", "respond", "4" )' aria-label='Reply to Crandall'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1131" class="comment byuser comment-author-alexander bypostauthor even depth-2 parent">
<article id="div-comment-1131" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1131">
<time datetime="2014-10-10T14:35:57+00:00">
October 10, 2014 at 2:35 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Crandall,</p>
<p>My guess is it&#8217;s related to IP fragmentation. Check out this post and tell me if it (the iptables rule stated there) solves the issues for you:</p>
<p><a href="https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/" rel="nofollow">https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/</a></p>
<p>Cheers,<br />
Alex</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1131#respond' onclick='return addComment.moveForm( "div-comment-1131", "1131", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1143" class="comment odd alt depth-3 parent">
<article id="div-comment-1143" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Crandall</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1143">
<time datetime="2014-10-11T14:44:18+00:00">
October 11, 2014 at 2:44 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi, Alex,</p>
<p>Yes, It&#8217;s the IP fragmentation you pointed out.<br />
Thank you for your help.<br />
There is no problem now.<br />
Your site is very useful, I bookmarked for future reference.. <img src="../../../../../cdn.zeitgeist.se/wp-includes/images/smilies/simple-smile.png" alt=":)" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
<p>Thank you !</p>
<p>Best Regards</p>
<p>Cindi</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1143#respond' onclick='return addComment.moveForm( "div-comment-1143", "1143", "respond", "4" )' aria-label='Reply to Crandall'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1144" class="comment byuser comment-author-alexander bypostauthor even depth-4">
<article id="div-comment-1144" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1144">
<time datetime="2014-10-11T19:28:28+00:00">
October 11, 2014 at 7:28 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Cindy,</p>
<p>Great to hear! </p>
<p>Best,<br />
Alex</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1144#respond' onclick='return addComment.moveForm( "div-comment-1144", "1144", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-1133" class="comment odd alt thread-even depth-1">
<article id="div-comment-1133" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Luca Friedrich</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1133">
<time datetime="2014-10-10T18:36:23+00:00">
October 10, 2014 at 6:36 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alex,<br />
thank you very much for this article. Good tutorials on this topic are rare.</p>
<p>Thanks to you the VPN is working fine now on my iOS devices (except some disconnection issues) but I can&#8217;t get it to work with OS X at all.</p>
<p><a href="http://imgur.com/9hAvYWs" title="client log" rel="nofollow"><br />
</a><a href="http://imgur.com/NsTOFWS" title="server log" rel="nofollow"></p>
<p>Can you tell me what&#8217;s wrong?</p>
<p>Cheers,<br />
Luca</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1133#respond' onclick='return addComment.moveForm( "div-comment-1133", "1133", "respond", "4" )' aria-label='Reply to Luca Friedrich'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-1135" class="comment even thread-odd thread-alt depth-1">
<article id="div-comment-1135" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Luca Friedrich</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1135">
<time datetime="2014-10-10T18:38:14+00:00">
October 10, 2014 at 6:38 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>I meant to add these links.</p>
<p><a href="http://imgur.com/NsTOFWS" rel="nofollow">http://imgur.com/NsTOFWS</a></p>
<p><a href="http://imgur.com/9hAvYWs" rel="nofollow">http://imgur.com/9hAvYWs</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1135#respond' onclick='return addComment.moveForm( "div-comment-1135", "1135", "respond", "4" )' aria-label='Reply to Luca Friedrich'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-1136" class="comment byuser comment-author-alexander bypostauthor odd alt thread-even depth-1 parent">
<article id="div-comment-1136" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1136">
<time datetime="2014-10-10T19:11:47+00:00">
October 10, 2014 at 7:11 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Luca,</p>
<p>I don&#8217;t have much experience setting up a VPN on a Mac, but I do remember when I did it for a friend once, it took me some time to properly add the certificates. Did you install the client certificate, client keyfile and CA certificate via Utilities->Keychain Access in the System Keychain? Also, I remember I had to mark both imported certificates as trusted for all users (basically &#8220;Always trust&#8221; in all settings). For the keyfile make sure to allow all applications to access it (or at least add /usr/sbin/racoon to the list of allowed apps). Then, when you create a &#8220;Cisco VPN&#8221;, you should be able to select the appropriate certificate, and also supply it with the XAUTH password. That was basically the main hurdle I recall.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1136#respond' onclick='return addComment.moveForm( "div-comment-1136", "1136", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1137" class="comment even depth-2 parent">
<article id="div-comment-1137" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Luca Friedrich</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1137">
<time datetime="2014-10-10T19:59:55+00:00">
October 10, 2014 at 7:59 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thanks for the fast reply.<br />
It was the keyfile. I set the permissions to &#8220;Allow all applications to access this item&#8221; and it worked!</p>
<p>Thank you so much for the article and your help!<br />
Keep on with the good work.</p>
<p>Cheers,<br />
Luca</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1137#respond' onclick='return addComment.moveForm( "div-comment-1137", "1137", "respond", "4" )' aria-label='Reply to Luca Friedrich'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1138" class="comment byuser comment-author-alexander bypostauthor odd alt depth-3">
<article id="div-comment-1138" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1138">
<time datetime="2014-10-10T20:05:48+00:00">
October 10, 2014 at 8:05 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Glad to hear that I could help.</p>
<p>Best,<br />
Alex</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1138#respond' onclick='return addComment.moveForm( "div-comment-1138", "1138", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-1205" class="comment even thread-odd thread-alt depth-1 parent">
<article id="div-comment-1205" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Yuri</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1205">
<time datetime="2014-10-18T21:04:44+00:00">
October 18, 2014 at 9:04 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi, Alex!</p>
<p>I tried to install Amazon based VPN using Your How-To but to no avail <img src="../../../../../cdn.zeitgeist.se/wp-includes/images/smilies/frownie.png" alt=":(" class="wp-smiley" style="height: 1em; max-height: 1em;" /><br />
Honestly saying, it&#8217;s a half of true <img src="../../../../../cdn.zeitgeist.se/wp-includes/images/smilies/simple-smile.png" alt=":)" class="wp-smiley" style="height: 1em; max-height: 1em;" /><br />
Well, I generated all cerificates with one difference only: I din&#8217;t use anything like DynDNS, so I use CN=ServerPublicIP, where ServerPublicIP is Public IP of my Amazon instance, something about 54.xxx.xxx.xxx<br />
And I use this ipsec.conf:<br />
conn Road<br />
left=%any<br />
leftauth=pubkey<br />
leftcert=serverCert.pem<br />
leftid=&#8221;C=US,O=Acme,CN=ServerPublicIP&#8221;<br />
leftsubnet=0.0.0.0/0<br />
right=%any<br />
rightsourceip=192.168.2.100/28<br />
rightauth=pubkey<br />
rightcert=My_BB.pem<br />
#rightsendcert=never<br />
rekey=no<br />
auto=add</p>
<p>Then I tried Windows machines (without comment of rightsendcert line) &#8211; works like a charm for Win7 &amp; Win8.1 both, but when I tried Blackberry 10 device (with rightsendcert commented), it doesn&#8217;t work at all and log is:<br />
charon: 08[IKE] ClientPublicIP is initiating an IKE_SA<br />
charon: 08[IKE] local host is behind NAT, sending keep alives<br />
charon: 08[IKE] remote host is behind NAT<br />
charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br />
charon: 08[NET] sending packet: from ServerPrivateIP[500] to ClientPublicIP[500] (308 bytes)<br />
charon: 16[IKE] sending keep alive to ClientPublicIP[500]<br />
charon: 01[JOB] deleting half open IKE_SA after timeout<br />
So, as I can understand, Blackberry 10 device totally refuses send certicates to server which one is weird, because all certificates are OK (exactly the same ones working for Windows). At other side, nothing is bad with Blackberry device, because I can establish VPN using PSK auth with the same server. I couldn&#8217;t find any info about VPN details for Blackberry, so Your advise is very important for me.<br />
Thanks in advance</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1205#respond' onclick='return addComment.moveForm( "div-comment-1205", "1205", "respond", "4" )' aria-label='Reply to Yuri'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-6241" class="comment odd alt depth-2">
<article id="div-comment-6241" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Ike</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-6241">
<time datetime="2015-10-24T04:31:00+00:00">
October 24, 2015 at 4:31 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Mr Yuri! I&#8217;m having same problem with iOS 9:</p>
<p>14[IKE] authentication with RSA signature successful<br />
14[ENC] generating IKE_AUTH response 1<br />
14[NET] sending packet: from &#8230;[4500] to &#8230;[45]]<br />
06[NET] sending packet: from &#8230;[4500] to &#8230;[4500]<br />
15[JOB] deleting half open IKE_SA after timeout<br />
15[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change:<br />
CONNECTING =&gt; DESTROYING</p>
<p>Tried rightsendcert=false (<a href="http://serverfault.com/a/576156" rel="nofollow">http://serverfault.com/a/576156</a>)<br />
Tried fragmentation=yes (<a href="https://wiki.strongswan.org/issues/775" rel="nofollow">https://wiki.strongswan.org/issues/775</a>)</p>
<p>But it manifests for both Hostname config and IP certificate config.<br />
So at least that issue probably isn&#8217;t related to DNS hostname vs IP.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=6241#respond' onclick='return addComment.moveForm( "div-comment-6241", "6241", "respond", "4" )' aria-label='Reply to Ike'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-1289" class="comment even thread-even depth-1 parent">
<article id="div-comment-1289" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Omer Naeem</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1289">
<time datetime="2014-10-26T04:50:42+00:00">
October 26, 2014 at 4:50 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hey awesome guide Alex !</p>
<p>When I restart IPSec I get this</p>
<p>Starting strongSwan 5.2.0 IPsec [starter]&#8230;<br />
no netkey IPsec stack detected<br />
no KLIPS IPsec stack detected<br />
no known IPsec stack detected, ignoring!<br />
. ok</p>
<p>is this supposed to be like this ?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1289#respond' onclick='return addComment.moveForm( "div-comment-1289", "1289", "respond", "4" )' aria-label='Reply to Omer Naeem'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-1293" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2">
<article id="div-comment-1293" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1293">
<time datetime="2014-10-26T17:24:58+00:00">
October 26, 2014 at 5:24 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Omer,</p>
<p>Not really. 😉 Does it yet work though? By any chance, are you running strongSwan from a OpenVZ VPS or something similar? It seems you are missing access to the necessary IPsec kernel modules. If you are on a OpenVZ VPS, your hoster needs to enable them. See here for more: <a href="http://openvz.org/IPsec" rel="nofollow">http://openvz.org/IPsec</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1293#respond' onclick='return addComment.moveForm( "div-comment-1293", "1293", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-1456" class="comment even depth-2">
<article id="div-comment-1456" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Val</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-1456">
<time datetime="2014-11-02T15:46:21+00:00">
November 2, 2014 at 3:46 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>You can enable IPsec support in OpenVZ, but the routing is broken. This is OpenVZ kernel issue. You would be able to ping internal IPs and interfaces, but if you want to do routing or NAT, you won&#8217;t get any packets.</p>
<p>You can use strongSwan&#8217;s userspace IPsec implementation, just compile strongSwan with &#8211;enable-kernel-libipsec</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=1456#respond' onclick='return addComment.moveForm( "div-comment-1456", "1456", "respond", "4" )' aria-label='Reply to Val'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-3067" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-3067" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Jost</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3067">
<time datetime="2014-12-24T03:56:06+00:00">
December 24, 2014 at 3:56 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello.<br />
I have Strongswan running on a Debian 3.2.0-4.<br />
Server setup:<br />
eth0 with a local IP (192.168.1.12) and router gateway 192.168.1.1 (different Internet from eth1)<br />
eth1 is connected directly to the outside (not the .1.1 router) with a static public ip (for example, 63.12.1.34 &#8211; different Internet from eth0).</p>
<p>I have this conn:<br />
auto=start<br />
type=tunnel<br />
left=63.12.1.34<br />
leftsubnet=192.168.1.12/32<br />
leftnexthop=%defaultroute<br />
right=4.8.12.13<br />
rightsubnet=172.2.2.0/27<br />
rightnexthop=%defaultroute</p>
<p>The connection establishes, I can ssh to the right site, but after a few seconds ssh session keeps freezing. Any idea what the problem could be?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3067#respond' onclick='return addComment.moveForm( "div-comment-3067", "3067", "respond", "4" )' aria-label='Reply to Jost'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-3327" class="comment even thread-even depth-1">
<article id="div-comment-3327" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Dorian</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3327">
<time datetime="2015-01-02T18:07:25+00:00">
January 2, 2015 at 6:07 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>I want to thank you for making this guide available. It is very straight forward and gives first time installers confidence required to try new soltutions. I would like to see us creating some sort of &#8220;go-to&#8221; forum for StrongSwan; I think it would be fun and very helpful. Thank you.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3327#respond' onclick='return addComment.moveForm( "div-comment-3327", "3327", "respond", "4" )' aria-label='Reply to Dorian'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-3376" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-3376" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Bert</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3376">
<time datetime="2015-01-04T20:24:17+00:00">
January 4, 2015 at 8:24 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,</p>
<p>Looks like a formidable tutorial. And so many people used it succesfuly, but for some reason I am stuck already by the first step,<br />
&#8220;Add wheezy-backports to your APT repository&#8221;, does not work.<br />
Could it be that the repository has been moved to another location?<br />
Or any idea what i am doing wrong?</p>
<p>kind regards, Bert</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3376#respond' onclick='return addComment.moveForm( "div-comment-3376", "3376", "respond", "4" )' aria-label='Reply to Bert'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-3378" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-3378" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3378">
<time datetime="2015-01-04T22:00:57+00:00">
January 4, 2015 at 10:00 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Bert,</p>
<p>What is the exact error? wheezy-backports is still current, so it should work. You could also try adding the repo directly to your /etc/apt/sources.list file. You find more detailed information over here: <a href="https://wiki.debian.org/Backports" rel="nofollow">https://wiki.debian.org/Backports</a> (under Using the command line).</p>
<p>Best,<br />
Alex</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3378#respond' onclick='return addComment.moveForm( "div-comment-3378", "3378", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-3405" class="comment odd alt thread-even depth-1 parent">
<article id="div-comment-3405" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Bert</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3405">
<time datetime="2015-01-05T08:13:59+00:00">
January 5, 2015 at 8:13 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,<br />
Thanks for coming back to my question. I did add the line<br />
deb <a href="http://ftp.debian.org/debian" rel="nofollow">http://ftp.debian.org/debian</a> wheezy-backports main<br />
to the sources.list file and did the apt-get update with this result at the end:</p>
<p>Genegeerd <a href="http://mirrordirector.raspbian.org" rel="nofollow">http://mirrordirector.raspbian.org</a> wheezy/rpi Translation-en<br />
836 B opgehaald in 18s (45 B/s)<br />
W: GPG-fout: <a href="http://ftp.debian.org" rel="nofollow">http://ftp.debian.org</a> wheezy-backports Release: De volgende ondertekeningen konden niet geverifieerd worden omdat de publieke sleutel niet beschikbaar is: NO_PUBKEY 8B48AD6246925553<br />
W: Ophalen van <a href="http://ftp.debian.org/debian/dists/wheezy-backports/./binary-armhf/Packages" rel="nofollow">http://ftp.debian.org/debian/dists/wheezy-backports/./binary-armhf/Packages</a> is mislukt 404 Not Found</p>
<p>E: Some index files failed to download. They have been ignored, or old ones used instead.<br />
root@raspberrypi:~#</p>
<p>And when i dispite the error try to install acording to the next step in the tutorial i receive the following message:<br />
WAARSCHUWING: De volgende pakketten kunnen niet geauthentificeerd worden:<br />
strongswan-ike strongswan-starter libstrongswan strongswan-libcharon strongswan-charon<br />
libcharon-extra-plugins libstrongswan-standard-plugins strongswan<br />
Wilt u deze pakketten installeren zonder verificatie [j/N]? j</p>
<p>At the end i receive the next message:<br />
[&#8230;.] Restarting strongswan IPsec services: ipsecStopping strongSwan IPsec&#8230;<br />
Illegal instruction<br />
failed!</p>
<p>Btw, it installs strongswan vesion 5.2.1-4 so that is the version from the normal repository.</p>
<p>root@raspberrypi:~# ipsec version<br />
Linux strongSwan U5.2.1/K3.12.35+<br />
Institute for Internet Technologies and Applications<br />
University of Applied Sciences Rapperswil, Switzerland<br />
See &#8216;ipsec &#8211;copyright&#8217; for copyright information.<br />
root@raspberrypi:~#</p>
<p>This is the content of my sources.list:<br />
deb <a href="http://mirrordirector.raspbian.org/raspbian/" rel="nofollow">http://mirrordirector.raspbian.org/raspbian/</a> wheezy main contrib non-free rpi<br />
# Uncomment line below then &#8216;apt-get update&#8217; to enable &#8216;apt-get source&#8217;<br />
#deb-src <a href="http://mirror.ox.ac.uk/sites/archive.raspbian.org/archive/raspbian/" rel="nofollow">http://mirror.ox.ac.uk/sites/archive.raspbian.org/archive/raspbian/</a> wheezy main contrib non-free rpi<br />
deb <a href="http://ftp.debian.org/debian" rel="nofollow">http://ftp.debian.org/debian</a> wheezy-backports main</p>
<p>Hope you can help me with this.<br />
Regards, Bert</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3405#respond' onclick='return addComment.moveForm( "div-comment-3405", "3405", "respond", "4" )' aria-label='Reply to Bert'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-3408" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-3408" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3408">
<time datetime="2015-01-05T08:49:28+00:00">
January 5, 2015 at 8:49 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Bert, I am not familiar with the Raspberry Pi, but it seems you&#8217;re using an outdated keyring? Try to see:</p>
<p># apt-cache policy debian-archive-keyring<br />
# apt-key list</p>
<p>and finally do:</p>
<p># apt-get install debian-archive-keyring<br />
# apt-key update</p>
<p>Then, this error: &#8220;http://ftp.debian.org/debian/dists/wheezy-backports/./binary-armhf/Packages is mislukt 404 Not Found&#8221; seems to indicate that you haven&#8217;t entered the repo correctly in your sources list file. Make sure in the line</p>
<p>deb <a href="http://ftp.debian.org/debian" rel="nofollow">http://ftp.debian.org/debian</a> wheezy-backports main</p>
<p>between wheezy-backports and main there is indeed a space character (nor some other invisible character). </p>
<p>If there is still a problem, could you post your /etc/apt/sources.list file here and, if there is anything in it, also the contents of the /etc/apt/source.list.d directory?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3408#respond' onclick='return addComment.moveForm( "div-comment-3408", "3408", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-3406" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-3406" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Bert</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3406">
<time datetime="2015-01-05T08:16:41+00:00">
January 5, 2015 at 8:16 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,<br />
I am running an IPSec VPN server on my Synology NAS, but for security reasons i prefer the VPN endpont to be on a different hardware platform as my NAS. That is the reason i like the RPi solution.<br />
Bert</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3406#respond' onclick='return addComment.moveForm( "div-comment-3406", "3406", "respond", "4" )' aria-label='Reply to Bert'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-3485" class="comment even thread-even depth-1">
<article id="div-comment-3485" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Bert</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3485">
<time datetime="2015-01-09T14:26:27+00:00">
January 9, 2015 at 2:26 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander and other readers,<br />
I found on an other forum, that there is a problem with the latest raspbian images and the StrongSwan package.<br />
So i tried older versions of debian and the corresponding strongswan package and that worked!</p>
<p>But i do not like the idea of having a year old version, so t jumped over to softether vpn, which worked immediately and seems also to have a very nice mgt package.</p>
<p>I would like to thank you for your help so far.<br />
Kind regards, Bert</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3485#respond' onclick='return addComment.moveForm( "div-comment-3485", "3485", "respond", "4" )' aria-label='Reply to Bert'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-3525" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-3525" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Conrad</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3525">
<time datetime="2015-01-12T20:41:29+00:00">
January 12, 2015 at 8:41 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello both,</p>
<p>i just faced the same issue on my RPi. After I firstly installed the missing gpg key, I secondly installed strongswan from wheezy-backports without any errors.</p>
<p>Now I&#8217;m &#8220;running&#8221; ipsec version:<br />
Linux strongSwan U5.2.1/K3.12.35+</p>
<p>However, when I want to start the ipsec service, I get the Error &#8220;Illegal instruction&#8221;.</p>
<p>Do I need to update other packages? Any advice would be welcome.</p>
<p>BR<br />
Conrad</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3525#respond' onclick='return addComment.moveForm( "div-comment-3525", "3525", "respond", "4" )' aria-label='Reply to Conrad'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-3527" class="comment byuser comment-author-alexander bypostauthor even depth-2 parent">
<article id="div-comment-3527" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3527">
<time datetime="2015-01-12T22:07:11+00:00">
January 12, 2015 at 10:07 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Conrad, &#8220;Illegal instruction&#8221; (SIGILL) doesn&#8217;t sound good&#8230; it&#8217;s most likely related to the package, how it was compiled, and how it is compatible (or not) with your R Pi. Looks like Bert was successful with an older version of Strongswan. You could try installing it from another repository (instead of backports).</p>
<p>Did you try using the official Raspbian repo? It does contain Strongswan 5.2.1, same like Backports at the moment. No idea if it works properly, but you could give it a try. To do that, first remove /etc/apt/sources.list.d/wheezy-backports.list again (unless you know how to do package pinning). Then make sure you have the raspbian repo installed. In /etc/apt/sources.list add:</p>
<p>deb <a href="http://archive.raspbian.org/raspbian" rel="nofollow">http://archive.raspbian.org/raspbian</a> wheezy main contrib non-free<br />
deb-src <a href="http://archive.raspbian.org/raspbian" rel="nofollow">http://archive.raspbian.org/raspbian</a> wheezy main contrib non-free</p>
<p>And make sure you have the public sign key installed as well:</p>
<p>wget <a href="http://archive.raspbian.org/raspbian.public.key" rel="nofollow">http://archive.raspbian.org/raspbian.public.key</a> -O &#8211; | sudo apt-key add &#8211;</p>
<p>Then follow the instruction in this tutorial, starting with:</p>
<p>apt-get install strongswan libcharon-extra-plugins</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3527#respond' onclick='return addComment.moveForm( "div-comment-3527", "3527", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-3547" class="comment odd alt depth-3">
<article id="div-comment-3547" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Conrad</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3547">
<time datetime="2015-01-13T12:05:43+00:00">
January 13, 2015 at 12:05 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,</p>
<p>thank you very much for your instant reply. I was able to add the raspbian testing environment and install the packages with:<br />
apt-get -t testing install strongswan libcharon-extra-plugins<br />
Now strongswan 5.2.1 works like a charm on my little pi!</p>
<p>I also wanted to say that I really love this howto.<br />
With your help, I was able to set up a RPi as a VPN machine that is now supporting all my clients [Windows 8.1, Windows Phone 8 (via EAP-TLS) &amp; IOS 8].</p>
<p>May I take the liberty to suggest to more tiny things:<br />
1. I used the option &#8216;&#8211;digest sha256&#8217; in order to sign the certificates not with SHA1<br />
2. I added &#8216;&#8211;flag clientAuth&#8217; to the client certs (e.g. needed for Windows Phone)</p>
<p>Thank you for your help and this great tutorial!</p>
<p>BR<br />
Conrad</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3547#respond' onclick='return addComment.moveForm( "div-comment-3547", "3547", "respond", "4" )' aria-label='Reply to Conrad'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-3722" class="comment even thread-even depth-1">
<article id="div-comment-3722" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">monkey</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3722">
<time datetime="2015-01-25T14:06:47+00:00">
January 25, 2015 at 2:06 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thanks for your post, this is the most great guide style tutorial to help the new strongswan incomer!</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3722#respond' onclick='return addComment.moveForm( "div-comment-3722", "3722", "respond", "4" )' aria-label='Reply to monkey'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-3888" class="comment odd alt thread-odd thread-alt depth-1 parent">
<article id="div-comment-3888" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Jelle</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3888">
<time datetime="2015-02-09T11:34:58+00:00">
February 9, 2015 at 11:34 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alexander,</p>
<p>Thanks for the great article, it&#8217;s very understandable. At the point where I want to generate a p12 file from my certificates I get the following error:</p>
<p><code>root@machine:/etc/ipsec.d# openssl pkcs12 -export -inkey private/jelle-laptop-1.pem -in certs/jelle-laptop-1.pem -name "Test" -certfile cacerts/strongswanCert.pem -caname "Test" -out jelle.p12<br />
unable to load certificates</code></p>
<p>I am running Ubuntu 14.04, but managed to install the required packages from the repository. I also noticed my private pem files are text files, while my /etc/ipsec.d/certs files are binary files. Do you know if this is correct?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3888#respond' onclick='return addComment.moveForm( "div-comment-3888", "3888", "respond", "4" )' aria-label='Reply to Jelle'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-3918" class="comment byuser comment-author-alexander bypostauthor even depth-2">
<article id="div-comment-3918" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3918">
<time datetime="2015-02-12T21:10:09+00:00">
February 12, 2015 at 9:10 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Jelly,</p>
<p>It seems like your certificates are in the binary DER form. In the tutorial I assumed that everything is stored in Base64-encoded DER to make the files more portable. </p>
<p>For example, if you go back to the &#8220;Create your VPN host certificate&#8221; section, check where it says &#8211;outform pem > certs/vpnHostCert.pem. The outform parameter specifies the encoded form of the certificate, and it&#8217;s DER by default. So if you forget that part, you will end up with the binaries you&#8217;re seeing. </p>
<p>There is an easy way to convert the certificates into base64-encoded PEMs, with something like:</p>
<p>openssl x509 -inform der -in certificate.crt -out certificate.pem</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3918#respond' onclick='return addComment.moveForm( "div-comment-3918", "3918", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-3970" class="comment odd alt thread-even depth-1">
<article id="div-comment-3970" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Halp</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-3970">
<time datetime="2015-02-26T19:23:23+00:00">
February 26, 2015 at 7:23 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello and thanks for the tutorial. I was able to setup strongswan and the certs on my Raspberry Pi, but I have a question:</p>
<p>How can I set my iOS device to use IKEv2 along with VPN On Demand?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=3970#respond' onclick='return addComment.moveForm( "div-comment-3970", "3970", "respond", "4" )' aria-label='Reply to Halp'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-4017" class="comment even thread-odd thread-alt depth-1 parent">
<article id="div-comment-4017" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Adrian</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4017">
<time datetime="2015-03-04T15:33:36+00:00">
March 4, 2015 at 3:33 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>hello Alexander. Thanks for this tutorial. I am having one small issue;<br />
<code><br />
Starting strongSwan 5.2.2 IPsec [starter]...<br />
/opt/etc/ipsec.conf:34: missing value for setting 'conn'<br />
invalid config file '/opt/etc/ipsec.conf'<br />
unable to start strongSwan -- fatal errors in config<br />
</code></p>
<p>ipsec.conf:34 is directly related to conn %default</p>
<p>unfortunately, i&#8217;m a strongswan noob, so i don&#8217;t know how parameter requirements might have changed from version to version and this is my first IPSec server. Thanks in advance for any insight</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4017#respond' onclick='return addComment.moveForm( "div-comment-4017", "4017", "respond", "4" )' aria-label='Reply to Adrian'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-4033" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2 parent">
<article id="div-comment-4033" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4033">
<time datetime="2015-03-05T13:07:09+00:00">
March 5, 2015 at 1:07 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello Adrian, could you post your ipsec.conf here or at least the relevant section?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4033#respond' onclick='return addComment.moveForm( "div-comment-4033", "4033", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-4036" class="comment even depth-3 parent">
<article id="div-comment-4036" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Adrian</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4036">
<time datetime="2015-03-05T23:40:23+00:00">
March 5, 2015 at 11:40 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hey Alex,</p>
<p>this morning i repasted your configuration and it ipsec start worked, so i&#8217;m not sure what happened there. a small tidbit of information that might be helpful; Windows Phone 8.1 won&#8217;t recognize client certs without the &#8216;clientAuth&#8217; flag. so people should know to remember that before exporting to .p12</p>
<p>Now, I&#8217;m currently fighting a WinPhone8.1 error code: 13801 but i&#8217;ll post back when i get that resolved, unless somebody (hopefully) beats me to the punch.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4036#respond' onclick='return addComment.moveForm( "div-comment-4036", "4036", "respond", "4" )' aria-label='Reply to Adrian'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-4044" class="comment byuser comment-author-alexander bypostauthor odd alt depth-4">
<article id="div-comment-4044" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4044">
<time datetime="2015-03-06T16:30:50+00:00">
March 6, 2015 at 4:30 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Adrian, thanks for sharing the info regarding Win Phone 8.1. I&#8217;ll update the howto soon.</p>
<p>Microsoft has <a href="https://technet.microsoft.com/en-us/library/dd941612(v=ws.10).aspx" rel="nofollow">some info</a> regarding error code 13801&#8230;</p>
<p>Error 13801 occurs on the client when:</p>
<ul>
<li>The certificate is expired.</li>
<li>The trusted root for the certificate is not present on the client.</li>
<li>The subject name of the certificate does not match the remote computer.</li>
<li>The certificate does not have the required Enhanced Key Usage (EKU) values assigned.</li>
</ul>
<p>Did you make sure that the VPN Server Name as given on client certificate matches with the subjectName of the server certificate?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4044#respond' onclick='return addComment.moveForm( "div-comment-4044", "4044", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-4443" class="comment even thread-even depth-1 parent">
<article id="div-comment-4443" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Test</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4443">
<time datetime="2015-04-11T23:09:28+00:00">
April 11, 2015 at 11:09 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello. I wanted to know if it&#8217;s possible to set up PFS for IKEv1?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4443#respond' onclick='return addComment.moveForm( "div-comment-4443", "4443", "respond", "4" )' aria-label='Reply to Test'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-4561" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2">
<article id="div-comment-4561" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4561">
<time datetime="2015-04-21T10:49:25+00:00">
April 21, 2015 at 10:49 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi,</p>
<p>If your IKEv1 client spports PFS, it should be enaled with this configuration out of the box. Previously, strongSwan had a &#8220;pfs&#8221; option; this has been removed and instead IKEv1 and IKEv2 now use the same syntax for enabling PFS, namely listing a Diffie-Hellman group in the ESP proposal (as shown in the example).</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4561#respond' onclick='return addComment.moveForm( "div-comment-4561", "4561", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-4579" class="comment even thread-odd thread-alt depth-1 parent">
<article id="div-comment-4579" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Test</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4579">
<time datetime="2015-04-23T07:24:13+00:00">
April 23, 2015 at 7:24 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello and thanks for this awesome tutorial.</p>
<p>I&#8217;ve set up my Raspberry Pi based on your instructions on this page, but with a few differences, being that I&#8217;ve enable line 4 of the ipsec.conf file to be able to use one cert on multiple devices. It all works when I connect my iPhone to the strongSwan Service, except that when it does connect, it gives me this:<br />
&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br />
tail -f /var/log/auth.log<br />
Apr 23 02:12:55 retro charon: 08[IKE] cli.ent.ip is initiating a Main Mode IKE_SA<br />
&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br />
sudo ipsec status<br />
Security Associations (1 up, 0 connecting):</p>
<p>CiscoIPSec[96]: ESTABLISHED 94 seconds ago, rasp.be.rry.ip[C=CH, O=strongSwan, CN=ser.ver.ip]&#8230;cli.ent.ip[C=CH, O=strongSwan, CN=Client Key]</p>
<p>CiscoIPSec{59}: INSTALLED, TUNNEL, ESP in UDP SPIs: cc162c33_i 05debb64_o</p>
<p>CiscoIPSec{59}: 0.0.0.0/0 === 10.0.0.1/32<br />
&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-</p>
<p>I&#8217;m a novice when it comes to troubleshooting info like the above, but it seems to me that my iPhone isn&#8217;t using IKEv2 (IPSec-IKEv2) and is instead using IKEv1 (CiscoIPSec). Is my assumption correct? How can I get my iPhone to use IPSec-IKEv2 instead?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4579#respond' onclick='return addComment.moveForm( "div-comment-4579", "4579", "respond", "4" )' aria-label='Reply to Test'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-4602" class="comment byuser comment-author-alexander bypostauthor odd alt depth-2 parent">
<article id="div-comment-4602" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4602">
<time datetime="2015-04-25T09:08:34+00:00">
April 25, 2015 at 9:08 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>That is correct. Although IKEv2 support was added in iOS 8, the iOS VPN GUI has not yet been updated to allow for IKEv2 connections. If you require IKEv2, you&#8217;d need to create a custom configuration profile (using the Apple Configurator, for example). You find more info here:</p>
<p><a href="https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile" rel="nofollow">https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile</a></p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4602#respond' onclick='return addComment.moveForm( "div-comment-4602", "4602", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-5064" class="comment even depth-3 parent">
<article id="div-comment-5064" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Test</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5064">
<time datetime="2015-06-26T20:32:51+00:00">
June 26, 2015 at 8:32 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Is there a way to set IKEv2 without Apple Configurator? I don&#8217;t have a Mac to work on, only Windows.</p>
<p>Can I edit the config file with a text editor on windows, and possibly make the changes there to enable IKEv2?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5064#respond' onclick='return addComment.moveForm( "div-comment-5064", "5064", "respond", "4" )' aria-label='Reply to Test'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
<ul class="children">
<li id="comment-5072" class="comment byuser comment-author-alexander bypostauthor odd alt depth-4">
<article id="div-comment-5072" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alexander Turcic</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5072">
<time datetime="2015-06-27T08:33:15+00:00">
June 27, 2015 at 8:33 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi,</p>
<p>Not in iOS 8.x. But from what I&#8217;ve seen, iOS 9.0 will have an updated VPN gui with the option to configure IKEv2 directly on the device.</p>
<p>Alex</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5072#respond' onclick='return addComment.moveForm( "div-comment-5072", "5072", "respond", "4" )' aria-label='Reply to Alexander Turcic'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
</ul><!-- .children -->
</li><!-- #comment-## -->
<li id="comment-4687" class="comment even thread-even depth-1">
<article id="div-comment-4687" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Halp</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-4687">
<time datetime="2015-05-05T17:13:51+00:00">
May 5, 2015 at 5:13 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>I&#8217;ve set up strongSwan along with Plex Media Server on my Raspberry Pi 2 with the intention of accessing it over the VPN when I&#8217;m away from home. The VPN works, except that when I try to connect to Plex by using the local IP address, I get a log in screen. If I am home however, I can see my server with it&#8217;s contents. Can you help with that?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=4687#respond' onclick='return addComment.moveForm( "div-comment-4687", "4687", "respond", "4" )' aria-label='Reply to Halp'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5100" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-5100" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Halp</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5100">
<time datetime="2015-07-02T01:23:43+00:00">
July 2, 2015 at 1:23 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello and thanks for the responses to my other questions. I&#8217;ve got another question for you. I&#8217;ve installed Pi-Hole for ad-blocking purposes (<a href="http://jacobsalmela.com/block-millions-ads-network-wide-with-a-raspberry-pi-hole-2-0/" rel="nofollow">http://jacobsalmela.com/block-millions-ads-network-wide-with-a-raspberry-pi-hole-2-0/</a>) and wanted to know if it&#8217;s possible to set the RPi&#8217;s IP address within the strongSwan setup as a DNS address, so that I can get the VPN to block ads while it&#8217;s in use? I would be very grateful for your help in this.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5100#respond' onclick='return addComment.moveForm( "div-comment-5100", "5100", "respond", "4" )' aria-label='Reply to Halp'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5173" class="comment even thread-even depth-1">
<article id="div-comment-5173" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Halp</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5173">
<time datetime="2015-07-11T22:57:09+00:00">
July 11, 2015 at 10:57 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello. Can you tell me which Diffie Hellman Group number corresponds with the PFS setup in /etc/ipsec.conf?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5173#respond' onclick='return addComment.moveForm( "div-comment-5173", "5173", "respond", "4" )' aria-label='Reply to Halp'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5186" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-5186" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Halp</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5186">
<time datetime="2015-07-14T03:56:17+00:00">
July 14, 2015 at 3:56 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>I&#8217;m trying to setup an IKEv2 profile for iOS 8/9 but I&#8217;m running into some issues.</p>
<p>What is a Remote Identifier?<br />
What is a Local Identifier?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5186#respond' onclick='return addComment.moveForm( "div-comment-5186", "5186", "respond", "4" )' aria-label='Reply to Halp'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5309" class="comment even thread-even depth-1">
<article id="div-comment-5309" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Test</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5309">
<time datetime="2015-07-27T21:23:41+00:00">
July 27, 2015 at 9:23 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello. I&#8217;ve followed your tutorial and at this moment, it works well with iOS devices (IKEv1). However, I&#8217;m having difficulty setting up IKEv2 via Apple Configurator, and seeing that the support pages on the strongSwan site are difficult for me to grasp, I&#8217;m hoping that you can help. </p>
<p>With Apple Configurator, what would I put for Local Identifier and Remote Identifier? And with regards to other parameters in the Configurator (Dead Peer Detection Rate, IKE/Child SA Params [Encryption Algorithm, Integrity Algorithm, Diffie Hellman Group #, and Lifetime in Minutes], and would be best to use?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5309#respond' onclick='return addComment.moveForm( "div-comment-5309", "5309", "respond", "4" )' aria-label='Reply to Test'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5344" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-5344" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Test</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5344">
<time datetime="2015-07-31T08:17:16+00:00">
July 31, 2015 at 8:17 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello. Is it possible that the script you have for generating RSA keys could be re-written for ECDSA keys? And if so, could you post an example? </p>
<p>Not that I have an issue with RSA keys, but it&#8217;s that I&#8217;ve read that ECDSA provides the same/possibly greater key strength as RSA keys, with the benefit of a smaller key size, and that strongSwan supports the use of ECDSA.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5344#respond' onclick='return addComment.moveForm( "div-comment-5344", "5344", "respond", "4" )' aria-label='Reply to Test'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5353" class="comment even thread-even depth-1">
<article id="div-comment-5353" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Alfred Stompeneno</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5353">
<time datetime="2015-08-01T12:22:24+00:00">
August 1, 2015 at 12:22 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Tried all your instructions to the T but was always getting error with Windows Phone 8.1 Client.<br />
Finally figured:<br />
CA certificate needs a serverAuth flag.<br />
ipsec pki &#8211;self &#8211;ca &#8211;lifetime 3650 \<br />
&#8211;in private/strongswanKey.pem &#8211;type rsa \<br />
&#8211;dn &#8220;C=CH, O=strongSwan, CN=strongSwan Root CA&#8221; \<br />
<strong>&#8211;flag serverAuth</strong> &#8211;outform pem \<br />
&gt; cacerts/strongswanCert.pem</p>
<p>Hope it helps someone.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5353#respond' onclick='return addComment.moveForm( "div-comment-5353", "5353", "respond", "4" )' aria-label='Reply to Alfred Stompeneno'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5369" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-5369" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Hardik Gohil</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5369">
<time datetime="2015-08-03T03:24:21+00:00">
August 3, 2015 at 3:24 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hello,</p>
<p>I am trying to generate certificate using<br />
ipsec pki &#8211;gen &#8211;type rsa &#8211;size 4096 \<br />
&#8211;outform pem \<br />
&gt; private/strongswanKey.pem</p>
<p>once i enter this command process is running forever it is not getting exit.</p>
<p>when kill it using ctrl + c strongswankey.pem doesn&#8217;t have any data.</p>
<p>Can anyone help me ?</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5369#respond' onclick='return addComment.moveForm( "div-comment-5369", "5369", "respond", "4" )' aria-label='Reply to Hardik Gohil'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5739" class="comment even thread-even depth-1">
<article id="div-comment-5739" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Marian Andre</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5739">
<time datetime="2015-09-01T09:18:49+00:00">
September 1, 2015 at 9:18 am </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi Alex,</p>
<p>Thank you for well written tutorial. It helped me a lot.<br />
One thing however &#8211; maybe it is something obvious &#8211; but anway:<br />
I had to make sure that my host certificate and private key had the same filename, otherwise I got error about loading private key.</p>
<p>My bad habit of naming files my.vpn.server-cert.pem and my.vpn.server-key.pem and my lack of attention to tiny line saying it couldn&#8217;t load the private key took me few hours to figure out why I was getting IKE error about authentication failed.</p>
<p>Thanks again for really useful article.</p>
<p>Marian</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5739#respond' onclick='return addComment.moveForm( "div-comment-5739", "5739", "respond", "4" )' aria-label='Reply to Marian Andre'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-5884" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-5884" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">Xao</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-5884">
<time datetime="2015-09-12T12:19:12+00:00">
September 12, 2015 at 12:19 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>It took me long to to figure out.<br />
For windows Phone 8.1 as client (possibly all windows Phone). CA Certificate must have &#8211;flag serverAuth or it won&#8217;t work.<br />
Just FYI for others who want Windows phone clients to work.</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=5884#respond' onclick='return addComment.moveForm( "div-comment-5884", "5884", "respond", "4" )' aria-label='Reply to Xao'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-6113" class="comment even thread-even depth-1">
<article id="div-comment-6113" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<cite class="fn">john kotkin</cite> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="index.html#comment-6113">
<time datetime="2015-10-04T19:57:40+00:00">
October 4, 2015 at 7:57 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Hi,</p>
<p>Thank you for this tutorial</p>
<p>I used below tutorial and every things was fine<br />
<a href="https://www.vultr.com/docs/using-strongswan-for-ipsec-vpn-on-centos-7" rel="nofollow">https://www.vultr.com/docs/using-strongswan-for-ipsec-vpn-on-centos-7</a></p>
<p>But i need run it on Ubuntu, but with your tutorial i always getting EAP authentication error</p>
<p>Is there any way to debug it? to see exactly what&#8217;s going on?</p>
<p>Thank you,<br />
John</p>
</div><!-- .comment-content -->
<div class="reply">
<a rel='nofollow' class='comment-reply-link' href='https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/?replytocom=6113#respond' onclick='return addComment.moveForm( "div-comment-6113", "6113", "respond", "4" )' aria-label='Reply to john kotkin'>Reply</a> </div><!-- .reply -->
<div class="edit-link">
</div>
</article><!-- .comment-body -->
</li><!-- #comment-## -->
</ol><!-- .comment-list -->
<div id="respond" class="comment-respond">
<h3 id="reply-title" class="comment-reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="index.html#respond" style="display:none;">Cancel reply</a></small></h3>
<form action="https://www.zeitgeist.se/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate>
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p> <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" aria-required='true' required='required' /></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" aria-describedby="email-notes" aria-required='true' required='required' /></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" /></p>
<p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" required="required"></textarea></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment" /> <input type='hidden' name='comment_post_ID' value='4' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="cb5305d1d8" /></p><p style="display: none;"><input type="hidden" id="ak_js" name="ak_js" value="45"/></p> </form>
</div><!-- #respond -->
</div><!-- #comments -->
</div><!-- #content -->
</div><!-- #primary -->
<div id="secondary" class="widget-area footer-widget-area" role="complementary">
<div class="first footer-widgets">
<aside id="recent-posts-2" class="widget widget_recent_entries"> <h3 class="widget-title">Recent Posts</h3> <ul>
<li>
<a href="https://www.zeitgeist.se/2015/06/28/mount-an-iphone-inside-a-kvm-guest-by-disabling-usbmuxd/">Mount an iPhone inside a KVM guest by disabling usbmuxd</a>
</li>
<li>
<a href="https://www.zeitgeist.se/2015/06/01/arial-from-windows-10-doesnt-play-nice-with-linux/">Arial from Windows 10 doesn&#8217;t play nice with Linux</a>
</li>
<li>
<a href="https://www.zeitgeist.se/2014/10/10/google-domains-invites-up-for-grabs/">Google Domains invites up for grabs</a>
</li>
<li>
<a href="https://www.zeitgeist.se/2014/09/07/enabling-ata-security-on-a-self-encrypting-ssd/">Enabling ATA Security on a Self-Encrypting SSD</a>
</li>
<li>
<a href="https://www.zeitgeist.se/2014/08/23/optimize-aes-and-chacha20-usage-with-boringssl/">Optimize AES and ChaCha20 usage with BoringSSL</a>
</li>
</ul>
</aside> </div>
<div class="second footer-widgets">
<aside id="tag_cloud-2" class="widget widget_tag_cloud"><h3 class="widget-title">Tags</h3><div class="tagcloud"><a href='https://www.zeitgeist.se/tag/aead/' class='tag-link-33' title='2 topics' style='font-size: 13.25pt;'>aead</a>
<a href='https://www.zeitgeist.se/tag/alphassl/' class='tag-link-28' title='1 topic' style='font-size: 8pt;'>alphassl</a>
<a href='https://www.zeitgeist.se/tag/ata-security/' class='tag-link-44' title='1 topic' style='font-size: 8pt;'>ata security</a>
<a href='https://www.zeitgeist.se/tag/boringssl/' class='tag-link-41' title='1 topic' style='font-size: 8pt;'>boringssl</a>
<a href='https://www.zeitgeist.se/tag/certificates/' class='tag-link-10' title='1 topic' style='font-size: 8pt;'>certificates</a>
<a href='https://www.zeitgeist.se/tag/chacha20/' class='tag-link-32' title='2 topics' style='font-size: 13.25pt;'>chacha20</a>
<a href='https://www.zeitgeist.se/tag/cloud/' class='tag-link-36' title='1 topic' style='font-size: 8pt;'>cloud</a>
<a href='https://www.zeitgeist.se/tag/debian/' class='tag-link-15' title='1 topic' style='font-size: 8pt;'>debian</a>
<a href='https://www.zeitgeist.se/tag/dns/' class='tag-link-35' title='1 topic' style='font-size: 8pt;'>dns</a>
<a href='https://www.zeitgeist.se/tag/earthcam/' class='tag-link-19' title='1 topic' style='font-size: 8pt;'>earthcam</a>
<a href='https://www.zeitgeist.se/tag/encryption/' class='tag-link-45' title='1 topic' style='font-size: 8pt;'>encryption</a>
<a href='https://www.zeitgeist.se/tag/google-apps/' class='tag-link-37' title='1 topic' style='font-size: 8pt;'>google apps</a>
<a href='https://www.zeitgeist.se/tag/h264/' class='tag-link-22' title='1 topic' style='font-size: 8pt;'>h264</a>
<a href='https://www.zeitgeist.se/tag/heartbleed/' class='tag-link-27' title='1 topic' style='font-size: 8pt;'>heartbleed</a>
<a href='https://www.zeitgeist.se/tag/init-d/' class='tag-link-16' title='1 topic' style='font-size: 8pt;'>init.d</a>
<a href='https://www.zeitgeist.se/tag/insserv/' class='tag-link-17' title='1 topic' style='font-size: 8pt;'>insserv</a>
<a href='https://www.zeitgeist.se/tag/ipsec/' class='tag-link-11' title='2 topics' style='font-size: 13.25pt;'>ipsec</a>
<a href='https://www.zeitgeist.se/tag/iptables/' class='tag-link-7' title='1 topic' style='font-size: 8pt;'>iptables</a>
<a href='https://www.zeitgeist.se/tag/javascript/' class='tag-link-25' title='1 topic' style='font-size: 8pt;'>javascript</a>
<a href='https://www.zeitgeist.se/tag/lenovo/' class='tag-link-46' title='1 topic' style='font-size: 8pt;'>lenovo</a>
<a href='https://www.zeitgeist.se/tag/memcached/' class='tag-link-39' title='1 topic' style='font-size: 8pt;'>memcached</a>
<a href='https://www.zeitgeist.se/tag/mtu/' class='tag-link-5' title='1 topic' style='font-size: 8pt;'>mtu</a>
<a href='https://www.zeitgeist.se/tag/nat/' class='tag-link-12' title='1 topic' style='font-size: 8pt;'>nat</a>
<a href='https://www.zeitgeist.se/tag/nginx/' class='tag-link-40' title='1 topic' style='font-size: 8pt;'>nginx</a>
<a href='https://www.zeitgeist.se/tag/openssl/' class='tag-link-31' title='1 topic' style='font-size: 8pt;'>openssl</a>
<a href='https://www.zeitgeist.se/tag/pfs/' class='tag-link-29' title='1 topic' style='font-size: 8pt;'>pfs</a>
<a href='https://www.zeitgeist.se/tag/pmtud/' class='tag-link-8' title='1 topic' style='font-size: 8pt;'>pmtud</a>
<a href='https://www.zeitgeist.se/tag/samsung/' class='tag-link-43' title='1 topic' style='font-size: 8pt;'>samsung</a>
<a href='https://www.zeitgeist.se/tag/ssd/' class='tag-link-42' title='1 topic' style='font-size: 8pt;'>ssd</a>
<a href='https://www.zeitgeist.se/tag/ssl/' class='tag-link-26' title='2 topics' style='font-size: 13.25pt;'>ssl</a>
<a href='https://www.zeitgeist.se/tag/streams/' class='tag-link-21' title='1 topic' style='font-size: 8pt;'>streams</a>
<a href='https://www.zeitgeist.se/tag/strongswan/' class='tag-link-6' title='5 topics' style='font-size: 22pt;'>strongswan</a>
<a href='https://www.zeitgeist.se/tag/task-manager/' class='tag-link-23' title='1 topic' style='font-size: 8pt;'>task manager</a>
<a href='https://www.zeitgeist.se/tag/tcpdump/' class='tag-link-38' title='1 topic' style='font-size: 8pt;'>tcpdump</a>
<a href='https://www.zeitgeist.se/tag/thinkpad/' class='tag-link-47' title='1 topic' style='font-size: 8pt;'>thinkpad</a>
<a href='https://www.zeitgeist.se/tag/vpn/' class='tag-link-9' title='4 topics' style='font-size: 19.666666666667pt;'>vpn</a>
<a href='https://www.zeitgeist.se/tag/webcam/' class='tag-link-20' title='1 topic' style='font-size: 8pt;'>webcam</a>
<a href='https://www.zeitgeist.se/tag/wheezy/' class='tag-link-14' title='1 topic' style='font-size: 8pt;'>wheezy</a></div>
</aside> </div>
<div class="third footer-widgets">
<aside id="search-2" class="widget widget_search"> <form method="get" id="searchform" class="searchform" action="https://www.zeitgeist.se/" role="search">
<label for="s" class="screen-reader-text">Search</label>
<input type="search" class="field" name="s" value="" id="s" placeholder="Search &hellip;" />
<input type="submit" class="submit" id="searchsubmit" value="Search" />
</form>
</aside><aside id="archives-2" class="widget widget_archive"><h3 class="widget-title">Archives</h3> <ul>
<li><a href='https://www.zeitgeist.se/2015/06/'>June 2015</a></li>
<li><a href='https://www.zeitgeist.se/2014/10/'>October 2014</a></li>
<li><a href='https://www.zeitgeist.se/2014/09/'>September 2014</a></li>
<li><a href='https://www.zeitgeist.se/2014/08/'>August 2014</a></li>
<li><a href='https://www.zeitgeist.se/2014/05/'>May 2014</a></li>
<li><a href='https://www.zeitgeist.se/2014/04/'>April 2014</a></li>
<li><a href='https://www.zeitgeist.se/2014/03/'>March 2014</a></li>
<li><a href='https://www.zeitgeist.se/2013/12/'>December 2013</a></li>
<li><a href='https://www.zeitgeist.se/2013/11/'>November 2013</a></li>
</ul>
</aside> </div>
</div><!-- #secondary -->
</div><!-- #main -->
<footer id="colophon" class="site-footer" role="contentinfo">
<div class="site-info">
&#169; Zeitgeist.se, 2013-2014. <a class="alignright" rel="nofollow" href="https://www.zeitgeist.se/privacy-policy/">privacy policy</a> </div><!-- .site-info -->
</footer><!-- #colophon -->
</div><!-- #page -->
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-content/plugins/akismet/_inc/form.js'></script>
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-content/plugins/mr-prism/lib/prism.js'></script>
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-content/themes/aldus/js/functions_min.js'></script>
<script type='text/javascript' src='../../../../../cdn.zeitgeist.se/wp-includes/js/comment-reply.min.js'></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink