Questions migrating Linux Strongswan IKEv2 setup



  • I have Strongswan IKEv2 VPN setup for mobile clients running on a Slackware linux machine.
    The clients are running Android and the latest strongswan ipsec client on their phones.
    We are looking at moving the VPN server to pfsense.

    Here's my current /etc/ipsec.conf:

    # ipsec.conf - strongSwan IPsec configuration file
    
    config setup
    	charondebug="cfg 2, lib 1, dmn 1, ike 3, net 1, knl 1"
    
    conn %default
    	keyexchange=ikev2
    	dpdaction=clear
    	ike=aes128gcm16-aesxcbc-modp2048
    	esp=aes128gcm16
    	dpddelay=300s
    	rekey=no
    	leftsubnet=0.0.0.0/0,2000::/3
     	leftcert=vpnHostCert.pem
    	leftid="C=CH, O=strongSwan, CN=slack14.wrtpoona.in"
    	right=%any
    	rightsourceip=%dhcp,2604:8800:100:8277:ffff:ffff:ffff:fffc/126 #4 IPv6 hosts
    
    	leftfirewall=yes
    	forceencaps=yes
    	compress=yes
    	auto=start
    
    conn IPSec-IKEv2
    	keyexchange=ikev2
    	auto=add
    

    I don't see an option for IKEv2 using certs in the Phase 1 proposal (Authentication method options).
    What type should I select in the drop down menu?

    How can I migrate this setup to pfsense?


  • Rebel Alliance Developer Netgate

    EAP-TLS is IKEv2 with per-user certificates.


Log in to reply