strongSwan

h1. Introduction to strongSwan: IKEv2 Remote Access Client Configuration

This is the example IKEv2 client configuration as mentioned in [[IntroductionTostrongSwan#IKEv2-Windows-78-Linux-Android-4-Mac-OS-X-iOS-8|Introduction to strongSwan]].

h2. [[ipsec.conf]]

<pre>

conn ikev2-rw

	right=gateway.host.name

	rightid=%gateway.host.name

	rightsubnet=0.0.0.0/0

	rightauth=pubkey

	leftsourceip=%config

	leftauth=pubkey or eap, depending on the selected gateway config

	leftcert=certificate, only if leftauth=pubkey (e.g. peerCert.der)

	eap_identity=username, only if leftauth=eap (e.g. peer)

	auto=add

</pre>

The @%@ syntax for _rightid_ was added with [[5.0.1]]. In earlier releases you must set it to the identity used on the gateway,

that is, the value of _leftid_ in the gateway config, which defaults to the subject of the certificate.

_rightsubnet=0.0.0.0/0_ allows the gateway to optionally narrow the traffic that is eventually tunneled to its liking or actually

allow the client to tunnel all traffic (also see [[ForwardingAndSplitTunneling|Forwarding and Split-Tunneling]]).

_leftsourceip=%config_ will request a [[VirtualIP|virtual IP address]] from the gateway, which may also send other attributes like

DNS servers.

h2. [[ipsec.secrets]]

<pre>

# either of these two lines depending on leftauth above

: RSA <private_key.file> "passphrase to decrypt key, if any"

<username> : EAP "password"

</pre>

Then copy the CA certificate to [[IpsecDirectoryCacerts|ipsec.d/cacerts]]. This is required to verify the gateway certificate.

If certificate based authentication is used, copy the client certificate to [[IpsecDirectoryCerts|ipsec.d/certs]] and the private key

to [[IpsecDirectoryPrivate|ipsec.d/private]].

If EAP authentication is used, the password may also be configured with the @ipsec stroke user-creds@

command after starting strongSwan.