Roadwarrior configuration for macOS 10.12, iOS 10 and Windows 10 using strongSwan and user certificates
seen from Maldives

seen from Malaysia
seen from Ukraine
seen from Hong Kong SAR China

seen from Malaysia

seen from Austria
seen from United States
seen from Austria
seen from Malaysia
seen from Austria

seen from Malaysia
seen from South Korea
seen from China
seen from Poland

seen from Australia
seen from Canada
seen from United States
seen from Canada
seen from Malaysia
seen from China
Roadwarrior configuration for macOS 10.12, iOS 10 and Windows 10 using strongSwan and user certificates
Franken Debian
So I have a Ubuntu 16.04 LTS machine and I wanted to configure L2TP/IPSec VPN on it.
It turns out the package networkmanager-strongswan had* a bug in it that made it not show up in the GUI.
Like many things software related, this was patched [1] in a new version but not backported (to LTS -- as of yet). The only Ubuntu version with this fix (for now) included in the repos is Zesty Zapus (Ugh, ubuntu).
In the past I've created franken Debian boxes with packages from sid, and/or testing repos. I wanted to see if I could do this in Ubuntu too.
It turns out you can! After following the directions in [3], I was able to install a single package from Zesty Zapus's universal repo. [4]
Here are the exact changes I made:
# cat /etc/apt/preferences Package: * Pin: release a=zesty Pin-Priority: 50 # cat /etc/apt/sources.list.d/zesty.list deb http://us.archive.ubuntu.com/ubuntu/ zesty universe deb-src http://us.archive.ubuntu.com/ubuntu/ zesty universe # apt-get -t zesty install network-manager-strongswan
1: https://wiki.strongswan.org/issues/1429
2: https://launchpad.net/ubuntu/+source/network-manager-strongswan
3: https://linuxaria.com/howto/how-to-install-a-single-package-from-debian-sid-or-debian-testing
4: https://launchpad.net/ubuntu/zesty/+source/network-manager-strongswan
AWS VPC VPN Strongswan configuration
Create the VPN Connection in the VPC Management console on AWS, using static routing, then download the Generic configuration. The downloaded text file contains some values that you’ll need. There are two VPN configurations in it. I just hook up one on the server. Perhaps if you have two VPN servers you could set up one VPN on each.
These are the values of interest in the downloaded text file:
Pre-Shared Key
Outside IP Addresses
Customer Gateway
Virtual Private Gateway
Inside IP Addresses
Customer Gateway
Virtual Private Gateway
My server has an internal IP address, and sits behind a router, which has a public IP address. AWS VPC supports NAT-T so this is no problem. You just set “left” (below) to your internal IP and “leftid” (also below) to your public IP.
Here is the example /etc/ipsec.conf:
conn vpc mobike=no type=tunnel compress=no keyexchange=ikev1 ike=aes128-sha1-modp1024! ikelifetime=28800s esp=aes128-sha1-modp1024! lifetime=3600s rekeymargin=3m keyingtries=3 installpolicy=yes dpdaction=restart authby=psk left=<ip address of your server> leftid=<public ip address of your server>
conn vpc1 also=vpc auto=add right=<Outside IP Addresses: Virtual Private Gateway> leftsubnet=<your subnet> rightsubnet=<VPC subnet>
conn vpc1a also=vpc auto=add right=<Outside IP Addresses: Virtual Private Gateway> leftsubnet=<Inside IP Addresses: Customer Gateway> rightsubnet=<Inside IP Addresses: Virtual Private Gateway>
Here is the example /etc/ipsec.secrets:
<Outside IP Addresses: Virtual Private Gateway> : PSK "<Pre-Shared Key>"
Then in your AWS VPC configuration edit the route table and add a static route for your internal subnet to the Virtual Gateway device.
Check your security groups on your instances to make sure they allow connectivity from your internal subnet IPs. It can be useful to allow ICMP so you can test using ping.
Restart Strongswan:
service strongswan restart
Then try to bring up the VPN interface:
ipsec up vpc1
If all is going well you should see a successful connection result in a second or two. If not, something is wrong :-(
Try to connect to one of the servers in your VPC. If you can’t, check the security groups on them, or perhaps any firewall rules on your own machine.
Then bring up the vpc1a connection. This should result in the VPN showing as UP on the AWS VPC VPC Connection configuration page.
Once you’re happy, change “auto=add” to “auto=start” in /etc/ipsec.conf and restart Strongswan and the VPN would come up automatically.
When you have to make an ipsec tunnel between two different implementations and it doesn't work on the first try.
IPsec Site-to-site VPN RouterOS <-> StrongSwan (VyOS,Vyatta) with x509 Certificates
When doing IPsec Site-to-site VPN between Mikrotik RouterOS and StrongSwan (e.g. VyOS, Vyatta, linux distro) there is problem that StrongSwan some time ago changed default value of leftsendcert=always to leftsendcert=ifasked, which results in failed IKE negotiation.
Log:
pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: we have a cert but are not sending it without request pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: sent MR3, ISAKMP SA established pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: retransmitting in response to duplicate packet; already STATE_MAIN_R3 pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
I found two practical solutions:
Modify RouterOS Configuration - Specify Remote Certificate in Peer configuration (Remote certificate needs to be imported)
Modify StongSwan Configuration - Add leftsendcert=always to /etc/ipsec.conf in related peer section
Tested on RouterOS 6.25 and StrongSwan 4.5.2-1.1.
Configure strongSwan for Windows Phone 8.1 VPN with a Raspberry Pi
One of the new feature of Windows Phone 8.1 is VPN support, including VPN over cellular data. I've spent a little bit now configuring strongSwan, and I've found this is the best configuration for the job after mashing a few together.
For this setup, I will be using a Raspberry Pi model B, and Arch Linux. The configuration for the most part should translate over to raspbian (See note) and other distros, and even not-raspberry pi's.
This guide will assume strongSwan version 5.1.3.
ipsec in Linux on Linode.
I wasted a couple of days banging my head on this one. So I'm throwing it on the internet for those whom may also benefit. Linode recently upgraded there offerings, faster CPUs, more ram and ssds. There is one current caveat though, you need to run a 64bit kernel. For the most part all 32bit distros (especially Debian based) will be just peachy with a 64bit kernel and 32bit userland, except it seems, when userland uses kernel space extensions... When establishing the site to site tunnel, everything logged just peachy, with the exception of a very insignificant log line that occasionally popped up (that google quickly explained away with a bunch of totally irrelevant links..). It was to do with an argument length passed to netlink. It didn't log on every connection attempt, so I didn't give it any importance when debugging the connection failures (the establishment would get stuck at phase 2, then timeout and try again). My last straw was to update the firmware on my ssg520 and check the kernel for other versions in linode... That is when I noticed I had flipped to a 64bit kernel, but not upgraded to the hardware platform. Switching to a 32bit kernel and rebooting solved the problem immediately, and the tunnel was established just peachy. Summary: screenos to Debian ipsec tunnel via strongswan is now working.
实在没招儿了,自己在 #debiansid 上编译 #strongswan