Sun
EpisodesPrivacy guidesStories
Don’t lose your
|


Updated on GitHub 4 months ago (see history)

How to configure strongSwan client on headless Debian-based Linux computer (DEPRECATED: guide is no longer maintained)

How to configure strongSwan client on headless Debian-based Linux computer

Requirements

Caveats

  • When copy/pasting commands that start with $, strip out $ as this character is not part of the command
  • When copy/pasting commands that start with cat << "EOF", select all lines at once (from cat << "EOF" to EOF inclusively) as they are part of the same (single) command

Guide

Step 1: create client key and cert using certificate authority from How to self-host hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS (on certificate authority computer).

Navigate to strongswan-certs directory

cd ~/Desktop/strongswan-certs

Set client common name

STRONGSWAN_CLIENT_NAME=bob

Update OpenSSL config file

cat << EOF > openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
countryName_default = US
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Self-hosted strongSwan VPN
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ ca ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign
[ server ]
authorityKeyIdentifier = keyid
subjectAltName = DNS:vpn-server.com
extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
[ client ]
authorityKeyIdentifier = keyid
subjectAltName = email:$STRONGSWAN_CLIENT_NAME@vpn-server.com
extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
EOF

Generate client cert

$ openssl genrsa -out $STRONGSWAN_CLIENT_NAME.key 4096
Generating RSA private key, 4096 bit long modulus
............................++
...........++
e is 65537 (0x10001)
$ openssl req -new -config openssl.cnf -extensions client -key $STRONGSWAN_CLIENT_NAME.key -subj "/C=US/O=Self-hosted strongSwan VPN/CN=$STRONGSWAN_CLIENT_NAME@vpn-server.com" -out $STRONGSWAN_CLIENT_NAME.csr
$ openssl x509 -req -extfile openssl.cnf -extensions client -in $STRONGSWAN_CLIENT_NAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out $STRONGSWAN_CLIENT_NAME.crt
Signature ok
subject=/C=US/O=Self-hosted strongSwan VPN/CN=bob@vpn-server.com
Getting CA Private Key

Step 2: log in to client computer

Heads-up: replace ~/.ssh/pi with path to private key and pi@10.0.1.248 with SSH destination of client computer.

ssh -i ~/.ssh/pi pi@10.0.1.248

Step 3: switch to root

su -

Step 4: configure firewall

Heads-up: input rules are likely already configured (run iptables-save and ip6tables-save to check).

Configure IPv4 rules

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 500 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 4500 -m state --state NEW -j ACCEPT

Configure IPv6 rules (if network is dual stack)

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 500 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 4500 -m state --state NEW -j ACCEPT

make firewall rules persistent

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Step 5: update APT index

apt update

Step 6: install strongSwan

Heads-up: if you are shown an “Old runlevel management superseded” warning, answer “Ok”.

apt install -y strongswan libcharon-extra-plugins

Step 7: configure strongSwan

Set strongSwan client name and server IP environment variables

Heads-up: replace 185.193.126.203 with IP of strongSwan server.

STRONGSWAN_CLIENT_NAME=bob
STRONGSWAN_SERVER_IP=185.193.126.203

Back up and overwrite /etc/ipsec.conf

cp /etc/ipsec.conf /etc/ipsec.conf.backup
cat << EOF > /etc/ipsec.conf
conn ikev2
auto=start
ike=aes256gcm16-prfsha512-ecp384!
esp=aes256gcm16-ecp384!
dpdaction=restart
closeaction=restart
keyingtries=%forever
leftid=$STRONGSWAN_CLIENT_NAME@vpn-server.com
leftsourceip=%config
leftauth=eap-tls
leftcert=$STRONGSWAN_CLIENT_NAME.crt
right=$STRONGSWAN_SERVER_IP
rightid=vpn-server.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
EOF

Back up and overwrite /etc/ipsec.secrets

cp /etc/ipsec.secrets /etc/ipsec.secrets.backup
cat << EOF > /etc/ipsec.secrets
: RSA $STRONGSWAN_CLIENT_NAME.key
EOF

Disable unused plugins

cd /etc/strongswan.d/charon
sed -i 's/load = yes/load = no/' ./*.conf
sed -i 's/load = no/load = yes/' ./eap-tls.conf ./aes.conf ./dhcp.conf ./farp.conf ./gcm.conf ./hmac.conf ./kernel-netlink.conf ./nonce.conf ./openssl.conf ./pem.conf ./pgp.conf ./pkcs12.conf ./pkcs7.conf ./pkcs8.conf ./pubkey.conf ./random.conf ./revocation.conf ./sha2.conf ./socket-default.conf ./stroke.conf ./x509.conf
cd -

Step 8: copy certs and key to client and make private directory root-only.

On certificate authority computer, run:

cat << EOF
cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt
$(cat ca.crt)
_EOF
EOF

On client computer, run output from previous command:

cat << "_EOF" > /etc/ipsec.d/cacerts/ca.crt
-----BEGIN CERTIFICATE-----
MIIFWzCCA0OgAwIBAgIJAIBFc1JHIb/zMA0GCSqGSIb3DQEBCwUAMEsxCzAJBgNV
BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG
A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjA5MTYyMDA4WhcNMzAxMjA3MTYy
MDA4WjBLMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n
U3dhbiBWUE4xFzAVBgNVBAMMDnZwbi1zZXJ2ZXIuY29tMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAyYp9BcqpYob99NMEPbfpjRvBXujnoFA440MyF2kx
2uJZliBxgJbZZMEIg4dGgbHDIJ3Pz9WuJZczhw35xjbcTo2JFPQ0In4KcbV8qdyb
1KQgvbuES9H4pb+QJDn46l/Djqhc4KU9jGzxvgVZF8GkwsIOP6vMrdarpzH2vG+8
dNvvgB9LMDjMU4grbkqBwrCr8hJVrcoo6GRlmUP9hnGirUd5cSE9ycIgJsPssPuc
eCOocoewKiYFLjLTPMZyElhu8K1Rcn09EizcOJeaaaaLQTG67r2tD6wMW9aAtmz+
acdJ98s3yp5mJt4SnMGnEN3VoTTCOBm2jXBH2hSh1sM/INP6bLSrYme4SkTwvSMD
8ebipybd3tcvBoQnRc3lWgI4JKyB5lRJTyExB8di9euLQ+XExpxcRKNmsrcbrLwU
1+YX0JnQ6XZNhreSqm8HN6iUn57CPdD+wMFnqHeq+kVxdEkTObnIYhyw9CMmGVHO
/YhsMCbrw9w5lpPp2/FgXvxkkpL2hwoQF8YoGmXi1zXKE5DEGegeM9fZaExdIPJr
CXvf30Xq3+ntfv9PkMvWeFcH5Hxo30tZ5u1c3R8YM/32iVAVgo1d80XUnXo3/Y89
hOTNL2+M8CBc6rsIEcvs4KUClb5hwliiIignMdShfdAdzOgQYAZW0aZJs2Eg4vp4
hlsCAwEAAaNCMEAwHQYDVR0OBBYEFA6byRT0reX3U+qj3VP9H+3ggglNMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAX
9yWi8WWi1fn8NVaWTsspZahzN58h8JngEcl9YFJEw+K41gztfgFp6nl4T6HJP4dX
+gcRT9uSLjQsBR58bdiE8oXHVePhpl3UdEg4tdZ7mHbB09aKRhtSmPx1LDIp+Zxk
71xH4ZYw1IvdSNZv/autMkHL+SQToXRLzrq7UZtg0SJWnP6Z9CBlpDKUu8jQuWUl
Y5kkKj4kCRF7mETuRKk/eW86qVCmbScSlItrHkHf6Y+53/aKVs5bCHuHkEJZ8j0E
q3jHrNhvl2VkVxD+1zsjrYXeJxux5zZUSBJ6gj+Hb/0VHoDJ8JFp1ZEB1AeZUY5u
dc2ObiCfMCBx9iiPdVian93K37quaijeIROA+JVOLFB7tPXyRlyECD311Sjt4YjV
zp/rK3DOfjuvu3hOx2dixvypOdb3r3e0F9ni9iurn7kgBT8u/+Z+FXTUZ8FFNgKX
hTQUcwkFfgRe2N71oRAzkMpjaXr8IvGLJ+kZ1koRHd/D6JU5/bSmW0K/5LxnW6K8
/W/oTUc1Uu5tZ2LgXXieOCUz/h8EQ1UA6t0h1czgwpz/gPESJuhV1Y/POP7FCYHD
i7SLtWmIrt4dbGFwascWBzEBOG+rx6ilEFnrqRpoBCcl5B6aj2iTAS8lmuJaYMTJ
JJAKOaEm18Vl0ntydZ1BSldekjJNYFCENvCNXp/vRg==
-----END CERTIFICATE-----
_EOF

On certificate authority computer, run:

cat << EOF
cat << "_EOF" > /etc/ipsec.d/private/$STRONGSWAN_CLIENT_NAME.key
$(cat $STRONGSWAN_CLIENT_NAME.key)
_EOF
EOF

On client computer, run output from previous command:

cat << "_EOF" > /etc/ipsec.d/private/bob.key
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAm7IuJck8H0xM9Fa07gh2ZDzSW9NNCUWavhmr+hse4ZcpFbNN
1D6uaa9sWBNReVzd9PRo7cJwzhTqMYsNF5nLrhdeAlIE9ans/maZlIf4EJ4fNZV8
WqJ2ySWrPNhc7rcKXgyQPSzD3g+N+GmuzfvoQczFOVgT+H8LGeQIM+qjJRJk+UOY
mMov4UAV38SWbMy4vWid2uDVU9jJRSIbUU7CTV3uvZ/XQJRQxtBBxKpGiZiVoImx
iHKrP9cSHlvY5RqfCsS8OxO6YvyIyYE/no6wG0D+H9fd7g8U7jXRphL0mJK5XOAP
DRjYUfQms6dGeswtMoxhj7282ryOOLOt04IZsjUIqzIzSxvqhdLMBKuD2SJAzC/E
x+5rmGFFpHQbAatvHGffhinzQH842+Pi73Qdkx9NEGaXZJWkWC6S4SAR5olBZKxp
4H9lyhUUqMbluoRp0NngeQT8TEinRKiO2KtDx6DpWlIwIfxAzv76wyDbRBgzmaa3
F31EM41Bu3/ch+BL7tnxVJhyugFFuESLYuIam3gm2XK9ZndWIuKyvH3/sLvuhxwf
sFvvOG/SObYenBQozYgS0LzNTzTLaoZIhkI/UsKQjGnPPCcc1hhB33mkNNwEtVyn
q3o5d1YVTN6q6LVx+BOHA1dJjCpMUME2bwql3WefVWRoD22WWizk6KcQfW0CAwEA
AQKCAgB4pvE/8tuWXWhdCDwZIZGtR7yzz+CoyLmLixVMMWwS4TLDUDmFujUqTPim
oAHJDIAr7KLLbJxB9s8tKVYx7cp61DzTi3+wZ8fxtMxa36sKJZ6FxZuiGLf4VCqI
chpCGrH8A7xay6/VCzS3Rh5iHU30f5xuPaTsMncFz0HUCYX3mnOI/iroa/YClcjd
qNfw5AxdKw74qLZnzVzbJ/0HWwMTNTFm3NDPiJ+4EXaF0nXq9sUsrMdYt5OhWyb9
Q6umjqSkkaRUG4uaXZwamwAT/PrXg9vqDTw72JAdsLMQASxud3URVcgUHCa2C39a
RMxHKKX1v/dyjlQlJW0I36RafT0vOHMsqjxG919vLfiMFztn8AZejsYcMCe8qYMq
aybQQNMR3aW+f4OEbLidRxujmxN3hvVVkyEppr/J5qzgkFB51zb30ooDTp90SE2y
5ArXXI2N/e+JXh2R08ev1ScI32rSmRa/Xw33IfyO8XOnUepAvfB586XEUIa6CXNC
r2rJJ/OHgXEktyEGQfxJ6lORINPpx+qh74gg8YW7rLKKeKOJM1i85w8Trs/NHKB6
Ok0sn2V0RsJT1csqA0SSRc1kRMmJxj6dBrWXbp2eeo/nNBfX7kwGoouK9pMYXZv/
aNx/0ZuN3uC62kkvWvCotifRggjnHxCSBtNljwaRySGDByBIAQKCAQEAzpZyVJDN
KUyFps6+oTgAfo5xDyWTEZpFkrDMyA2eJ0cxHWSMdVnK5U858oTGWeAK2kNDnznI
cfDtgjsorZqYYqPK6SI3/iYKw6NqA1E7hMJF78aitXVxhj0OiCN2hpMoFmm9wdcE
4XRru9/bEbSmc2NGrL25gKvYJ+1CZ6QRMUhlW6P3JjKPcmopCKKTobxErLiyOjnY
G8ne7UvY4M8d9ElpdDfNHaVw0+wkGemw/8s82QhkTFagMv9cTH8rwoe4fcKWbhn0
6QNxowLMVecdyhd5GAnxRb1ccFal58y0byivge4MtVeZlsvGuPjD4bXwMIUvcVS+
XswhijwbtaUebQKCAQEAwO+XHFtxA9ByIFD66fJ84/HWGyoYP/hDpexrxJrLjJuP
i6Y23RtewVs7LFmj88i29xLUjJ3vp7syQ8iGxPz0hxd4i/QQI8Jed1lV+6eiQbv0
eHRP7P7QlyhUpjT5KYVAn7vEA4r51vtIQ4aIawF2S29ZvZO+4PJFb/gyOmtz+mPO
6Ok25KgzVX22DgqGYVcETGasaCioob37QjOrSu9Bid2hrzmf+Et5SyhvyRKOSVAw
SxRUqp5tCp2P2h1Xn/BO7kCzypkRyhDRTqcEMuVdnBWEN4oceA+Xyzfq62VLCb/5
z0sa7le46MWCNG+DaMLgZtwfCWDxQD/MQrT/luF7AQKCAQBGAtJoOlJtBpPcvf/4
nwP738YM/gzjUEb3uZcMzSCl6wiID4VSV8XdBIZ82+ZkmvrSkS0fjvORObckBWx5
uQSfmSaw73nOVZIcTwskaKklCrms0sJdgJmihpqgJHSMkt5pChjW0knDJjNEjk6t
p20peaF/9SQiqRouHcf9W6q/6ur+rYial1Pp0HRrir1BeI5FgqpT9Tp54GX+QVAU
j9x051QnoKmQvHqKN2LcrUfgyD2sx51GCa1s2wGqowZvfJNXe1SDp6RKO3KNbetV
yWddD6toLCZqHgxvvc2nysXzTfR8sfH4muFgK1sDYLrxiTkHGHvFipShh8huEoTJ
gFXZAoIBADOptHAOeFPKJFVM+fNdUF4Fawy5F+dBRnQOu8jYnnrXSPffGT/ZzWS/
VjgJBOMJsxyz+SByRjNG6C3Ia3YiOiRWf5wSTaQVrxAMZv7NI6CwgMUkeCaBET/4
t7oN405f9S8Qq2s7cq1DelVCmBL3QELw3TnrbyhzF27lKiYEkfjRcx1hHaba92wE
DpTx8ovsLiV7NN1rTcSJx9cxWMPnD0iohVwTdSeapi8e89gG1P0CsPvZxNYvOAmo
qVWBl+4m/ivEPaCZnm7aVAHYrUInswpRpKbun7LykfYD0i8YX6CLvIvqk5qQ+N2z
zarW1Xxe+pHwjYsIX3GR49NU/j/bvwECggEAXgBQQjW0i5sMU53zBcc7BYaDdLIz
kreFUV1+sfE5Z4tBtjks86ujnA11lrfpojN7alo0FbpkDqBiJCl2inCVryZWhHuM
jjSfmJmc3Yu7mkCP7ClLhBbuJYvAK8NNwoMhKzpz4SCncM7icsyKBomOCfWyJtCt
pnG3Kv8lcZdpmbaYxtbum2MMaTuZQPDJwIe+TXgwUWs5JpaVaoA+pxg7hVVm/etl
Q792SFlYfocvqZ7NVNQ29YizcUHCoUmYNbBaRWJBFDF5TKywv+rBx+k8lfYz2AZC
ImQBryT2Ndf0PcKX0yKfUfd78Cg5+X9mt8LTfHN8HDoMirMCANbpMFRgHQ==
-----END RSA PRIVATE KEY-----
_EOF

On certificate authority computer, run:

cat << EOF
cat << "_EOF" > /etc/ipsec.d/certs/$STRONGSWAN_CLIENT_NAME.crt
$(cat $STRONGSWAN_CLIENT_NAME.crt)
_EOF
EOF

On client computer, run output from previous command:

cat << "_EOF" > /etc/ipsec.d/certs/bob.crt
-----BEGIN CERTIFICATE-----
MIIFfjCCA2agAwIBAgIJAN19ZfXadJDLMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
BAYTAlVTMSMwIQYDVQQKDBpTZWxmLWhvc3RlZCBzdHJvbmdTd2FuIFZQTjEXMBUG
A1UEAwwOdnBuLXNlcnZlci5jb20wHhcNMjAxMjEwMTE1MjU3WhcNMzAxMjA4MTE1
MjU3WjBPMQswCQYDVQQGEwJVUzEjMCEGA1UECgwaU2VsZi1ob3N0ZWQgc3Ryb25n
U3dhbiBWUE4xGzAZBgNVBAMMEmJvYkB2cG4tc2VydmVyLmNvbTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAJuyLiXJPB9MTPRWtO4IdmQ80lvTTQlFmr4Z
q/obHuGXKRWzTdQ+rmmvbFgTUXlc3fT0aO3CcM4U6jGLDReZy64XXgJSBPWp7P5m
mZSH+BCeHzWVfFqidsklqzzYXO63Cl4MkD0sw94Pjfhprs376EHMxTlYE/h/Cxnk
CDPqoyUSZPlDmJjKL+FAFd/ElmzMuL1ondrg1VPYyUUiG1FOwk1d7r2f10CUUMbQ
QcSqRomYlaCJsYhyqz/XEh5b2OUanwrEvDsTumL8iMmBP56OsBtA/h/X3e4PFO41
0aYS9JiSuVzgDw0Y2FH0JrOnRnrMLTKMYY+9vNq8jjizrdOCGbI1CKsyM0sb6oXS
zASrg9kiQMwvxMfua5hhRaR0GwGrbxxn34Yp80B/ONvj4u90HZMfTRBml2SVpFgu
kuEgEeaJQWSsaeB/ZcoVFKjG5bqEadDZ4HkE/ExIp0SojtirQ8eg6VpSMCH8QM7+
+sMg20QYM5mmtxd9RDONQbt/3IfgS+7Z8VSYcroBRbhEi2LiGpt4JtlyvWZ3ViLi
srx9/7C77occH7Bb7zhv0jm2HpwUKM2IEtC8zU80y2qGSIZCP1LCkIxpzzwnHNYY
Qd95pDTcBLVcp6t6OXdWFUzequi1cfgThwNXSYwqTFDBNm8Kpd1nn1VkaA9tllos
5OinEH1tAgMBAAGjYTBfMB8GA1UdIwQYMBaAFA6byRT0reX3U+qj3VP9H+3ggglN
MB0GA1UdEQQWMBSBEmJvYkB2cG4tc2VydmVyLmNvbTAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUIAgIwDQYJKoZIhvcNAQEFBQADggIBAF7fnx51tOGfdKKx3FiL
UwdVBs9gW/Ox4MjqjawinUgab0+5T5r4C8SbunBFUiLx+GdbqlhXDQBkqK94xYM4
/aQ7sUScDfgOm7E/wryZ7zQLow223lD0SHGeGAvGDtX/uyraWYEPL7RXyQwkScpk
Qp+hpsJJdYD4lEpNLfm7UwZcimqoT2kae0T7veDGmoyL9ii2OWvdj/pNOmFjPa1w
Cfe8J9TfPXdvzT25VpiMZlUSxlbfK9IP/UePfhA+tyFwhE6c9XPlz2yYuh/U9HLb
iscVXqIJGbj7YrDADPII0JG+Ayu7vD7sKlDMhseJh4B8sR2XediAYIEHh1J9nDf0
kxrjrQb/1kwriB1rk8vmSGuQ21vIoIVFDcB1RzW4nx+fOz91C5x1IubvQrn2P4oU
wn99CZo10YMFxG8ThhEI0VkPMj77h8SJ14ymslbKigQlbxnAgqdhMCRjK6hNHi7s
BI/ZS+hXP2C3A/6R7kt05ycoYI4xXzTKV2PIZXfgOt81xayidTeE8470Hc0B8+iU
zHyJhIjephqU6Pf4bjfJlu2/adjQNsAz9E+7UBeHJHlFHUxdtd63weD01IcBm+ZT
BxnbLQPPagoNdg6xVBEXi9OtBWWY+wHOb8ak1lTmGWrdFvOOxHszJl88yX+TNkLW
UpTExBlA0rjkNBDdlkNfRSRF
-----END CERTIFICATE-----
_EOF

On client computer, run chmod -R 600 /etc/ipsec.d/private

Step 9: restart strongSwan

systemctl restart strongswan

Step 10: confirm strongSwan client is connected

$ ipsec status
Security Associations (1 up, 0 connecting):
ikev2[1]: ESTABLISHED 3 minutes ago, 10.0.1.248[bob@vpn-server.com]...185.193.126.203[vpn-server.com]
ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3fcabed_i c2b0c4cd_o
ikev2{1}: 10.0.2.171/32 === 0.0.0.0/0

ESTABLISHED

👍

Step 11: confirm client computer public IP matches strongSwan server IP

curl https://checkip.amazonaws.com
185.193.126.203

185.193.126.203

👍

Heads-up: use following steps to assign static IP to strongSwan client.

Step 12: log in to server

Heads-up: replace 185.193.126.203 with IP of strongSwan server.

ssh -i ~/.ssh/vpn-server vpn-server-admin@185.193.126.203

Step 13: switch to root

su -

Step 14: assign static IP to strongSwan client

Heads-up: replace 10.0.2.171 with IP assigned to strongSwan client by strongSwan server (see step 10).

$ client_ip=10.0.2.171
$ client_mac=$(cat /var/lib/misc/dnsmasq.leases | grep $client_ip | awk '{print $2}')
$ echo "dhcp-host=$client_mac,10.0.2.2" >> /etc/dnsmasq.d/01-dhcp-strongswan.conf
$ cat /etc/dnsmasq.d/01-dhcp-strongswan.conf
interface=strongswan0
dhcp-range=10.0.2.10,10.0.2.254,255.255.255.0
port=0
dhcp-host=7a:a7:9f:c0:9d:b0,10.0.2.2

dhcp-host=7a:a7:9f:c0:9d:b0,10.0.2.2

👍

Step 15: restart dnsmasq

systemctl restart dnsmasq

Step 16: log in to client computer

Heads-up: replace ~/.ssh/pi with path to private key and pi@10.0.1.248 with SSH destination of client computer.

ssh -i ~/.ssh/pi pi@10.0.1.248

Step 17: switch to root

su -

Step 18: restart strongSwan

systemctl restart strongswan

Step 19: confirm strongSwan client has IP 10.0.2.2

$ ipsec status
Security Associations (1 up, 0 connecting):
ikev2[1]: ESTABLISHED 3 minutes ago, 10.0.1.248[bob@vpn-server.com]...185.193.126.203[vpn-server.com]
ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3fcabed_i c2b0c4cd_o
ikev2{1}: 10.0.2.2/32 === 0.0.0.0/0

10.0.2.2/32

👍

Contributors: Sun KnudsenSun Knudsen
Wish to contribute or need help? Read the docs.
Copyright (c) Sun Knudsen
Get in touch