Introduction to strongSwan: IKEv2 Remote Access Client Configuration¶
This is the example IKEv2 client configuration as mentioned in Introduction to strongSwan.
conn ikev2-rw right=gateway.host.name rightid=%gateway.host.name rightsubnet=0.0.0.0/0 rightauth=pubkey leftsourceip=%config leftauth=pubkey or eap, depending on the selected gateway config leftcert=certificate, only if leftauth=pubkey (e.g. peerCert.der) eap_identity=username, only if leftauth=eap (e.g. peer) auto=add
% syntax for rightid was added with 5.0.1. In earlier releases you must set it to the identity used on the gateway,
that is, the value of leftid in the gateway config, which defaults to the subject of the certificate.
rightsubnet=0.0.0.0/0 allows the gateway to optionally narrow the traffic that is eventually tunneled to its liking or actually
allow the client to tunnel all traffic (also see Forwarding and Split-Tunneling).
leftsourceip=%config will request a virtual IP address from the gateway, which may also send other attributes like
# either of these two lines depending on leftauth above : RSA <private_key.file> "passphrase to decrypt key, if any" <username> : EAP "password"
Then copy the CA certificate to ipsec.d/cacerts. This is required to verify the gateway certificate.
If EAP authentication is used, the password may also be configured with the
ipsec stroke user-creds
command after starting strongSwan.