jamesdavidson · January 25, 2019 08:50
diff --git a/ipsec.conf b/ipsec.conf
 config setup
    uniqueids=no
    charondebug = ike 3, cfg 3

 conn %default
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    compress=yes

    ### left - local (server) side
    # filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
    leftcert=fullchain.pem
    leftsendcert=always
    #leftsubnet=0.0.0.0/0,::/0
    leftsubnet=10.1.1.0/24,2a00:1450:400c:c05::/112

    ### right - remote (client) side
    eap_identity=%identity
    #rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112
    #rightsourceip=%dhcp
    rightsourceip=10.1.1.22-10.1.1.33
    rightdns=8.8.8.8,2001:4860:4860::8888

 conn ikev2-mschapv2
    rightauth=eap-mschapv2

 conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=overlay.example.com
diff --git a/ipsec.secrets b/ipsec.secrets
 # ipsec.secrets - strongSwan IPsec secrets file

 # filename of private key located in /etc/strongswan/ipsec.d/private/
 : RSA privkey.pem

 # syntax is `username : EAP "plaintextpassword"`
 james : EAP "asdf"
 macbook : EAP "asdf"
diff --git a/overlay.mobileconfig b/overlay.mobileconfig
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <!-- Set the name to whatever you like, it is used in the profile list on the device -->
    <key>PayloadDisplayName</key>
    <string>Overlay</string>
    <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
    <key>PayloadIdentifier</key>
    <string>com.example.overlay</string>
    <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
    <key>PayloadUUID</key>
    <string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadContent</key>
    <array>
        <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
        <dict>
            <!-- This is an extension of the identifier given above -->
            <key>PayloadIdentifier</key>
            <string>org.example.vpn1.conf1</string>
            <!-- A globally unique identifier for this payload -->
            <key>PayloadUUID</key>
            <string>29e4456d-3f03-4f15-b46f-4225d89465b7</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <!-- This is the name of the VPN connection as seen in the VPN application later -->
            <key>UserDefinedName</key>
            <string>VPN Name</string>
            <key>VPNType</key>
            <string>IKEv2</string>
            <key>IKEv2</key>
            <dict>
                <!-- Hostname or IP address of the VPN server -->
                <key>RemoteAddress</key>
                <string>overlay.example.com</string>
                <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
                     IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
                <key>RemoteIdentifier</key>
                <string>overlay.example.com</string>
                <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
                <key>LocalIdentifier</key>
                <string></string>
                <!-- The server is authenticated using a certificate -->
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <!-- The client uses EAP to authenticate -->
                <key>ExtendedAuthEnabled</key>
                <integer>1</integer>
                -->
                <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                     IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                <key>IKESecurityAssociationParameters</key>
                <dict>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-128</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA1-96</string>
                    <key>DiffieHellmanGroup</key>
                    <integer>14</integer>
                </dict>
                <key>ChildSecurityAssociationParameters</key>
                <dict>
                    <key>EncryptionAlgorithm</key>
                    <string>AES-128</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA1-96</string>
                    <key>DiffieHellmanGroup</key>
                    <integer>14</integer>
                </dict>
            </dict>
        </dict>
    </array>
 </dict>
 </plist>
	config setup
	uniqueids=no
	charondebug = ike 3, cfg 3

	conn %default
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=2000s

	keyexchange=ikev2
	auto=add
	rekey=no
	reauth=no
	fragmentation=yes
	compress=yes

	### left - local (server) side
	# filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
	leftcert=fullchain.pem
	leftsendcert=always
	#leftsubnet=0.0.0.0/0,::/0
	leftsubnet=10.1.1.0/24,2a00:1450:400c:c05::/112

	### right - remote (client) side
	eap_identity=%identity
	#rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112
	#rightsourceip=%dhcp
	rightsourceip=10.1.1.22-10.1.1.33
	rightdns=8.8.8.8,2001:4860:4860::8888

	conn ikev2-mschapv2
	rightauth=eap-mschapv2

	conn ikev2-mschapv2-apple
	rightauth=eap-mschapv2
	leftid=overlay.example.com
	# ipsec.secrets - strongSwan IPsec secrets file

	# filename of private key located in /etc/strongswan/ipsec.d/private/
	: RSA privkey.pem

	# syntax is `username : EAP "plaintextpassword"`
	james : EAP "asdf"
	macbook : EAP "asdf"
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<!-- Set the name to whatever you like, it is used in the profile list on the device -->
	<key>PayloadDisplayName</key>
	<string>Overlay</string>
	<!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles -->
	<key>PayloadIdentifier</key>
	<string>com.example.overlay</string>
	<!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it -->
	<key>PayloadUUID</key>
	<string>9f93912b-5fd2-4455-99fd-13b9a47b4581</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>PayloadContent</key>
	<array>
	<!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names -->
	<dict>
	<!-- This is an extension of the identifier given above -->
	<key>PayloadIdentifier</key>
	<string>org.example.vpn1.conf1</string>
	<!-- A globally unique identifier for this payload -->
	<key>PayloadUUID</key>
	<string>29e4456d-3f03-4f15-b46f-4225d89465b7</string>
	<key>PayloadType</key>
	<string>com.apple.vpn.managed</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<!-- This is the name of the VPN connection as seen in the VPN application later -->
	<key>UserDefinedName</key>
	<string>VPN Name</string>
	<key>VPNType</key>
	<string>IKEv2</string>
	<key>IKEv2</key>
	<dict>
	<!-- Hostname or IP address of the VPN server -->
	<key>RemoteAddress</key>
	<string>overlay.example.com</string>
	<!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
	IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
	<key>RemoteIdentifier</key>
	<string>overlay.example.com</string>
	<!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
	<key>LocalIdentifier</key>
	<string></string>
	<!-- The server is authenticated using a certificate -->
	<key>AuthenticationMethod</key>
	<string>Certificate</string>
	<!-- The client uses EAP to authenticate -->
	<key>ExtendedAuthEnabled</key>
	<integer>1</integer>
	-->
	<!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
	IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
	<key>IKESecurityAssociationParameters</key>
	<dict>
	<key>EncryptionAlgorithm</key>
	<string>AES-128</string>
	<key>IntegrityAlgorithm</key>
	<string>SHA1-96</string>
	<key>DiffieHellmanGroup</key>
	<integer>14</integer>
	</dict>
	<key>ChildSecurityAssociationParameters</key>
	<dict>
	<key>EncryptionAlgorithm</key>
	<string>AES-128</string>
	<key>IntegrityAlgorithm</key>
	<string>SHA1-96</string>
	<key>DiffieHellmanGroup</key>
	<integer>14</integer>
	</dict>
	</dict>
	</dict>
	</array>
	</dict>
	</plist>