Project

General

Profile

Introduction to strongSwan: IKEv2 Remote Access Client Configuration

This is the example IKEv2 client configuration as mentioned in Introduction to strongSwan.

ipsec.conf

conn ikev2-rw
    right=gateway.host.name
    rightid=%gateway.host.name
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftauth=pubkey or eap, depending on the selected gateway config
    leftcert=certificate, only if leftauth=pubkey (e.g. peerCert.der)
    eap_identity=username, only if leftauth=eap (e.g. peer)
    auto=add

The % syntax for rightid was added with 5.0.1. In earlier releases you must set it to the identity used on the gateway,
that is, the value of leftid in the gateway config, which defaults to the subject of the certificate.

rightsubnet=0.0.0.0/0 allows the gateway to optionally narrow the traffic that is eventually tunneled to its liking or actually
allow the client to tunnel all traffic (also see Forwarding and Split-Tunneling).

leftsourceip=%config will request a virtual IP address from the gateway, which may also send other attributes like
DNS servers.

ipsec.secrets

# either of these two lines depending on leftauth above
: RSA <private_key.file> "passphrase to decrypt key, if any" 
<username> : EAP "password" 

Then copy the CA certificate to ipsec.d/cacerts. This is required to verify the gateway certificate.

If certificate based authentication is used, copy the client certificate to ipsec.d/certs and the private key
to ipsec.d/private.

If EAP authentication is used, the password may also be configured with the ipsec stroke user-creds
command after starting strongSwan.