zipcode · January 20, 2017 10:06
diff --git a/ipsec.conf b/ipsec.conf
 ## Install strongswan and use this config file

 ## How to do key management:
 ## Make a root CRT. Do this on a secure machine, not the VPN endpoint.
 # openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=My VPN root" -out root.crt
 ## Make a conf file
 # cat > openssl.cnf << EOF
 # [ usr_cert ]
 # basicConstraints=CA:FALSE
 # nsComment                       = "OpenSSL Generated Certificate"
 # subjectKeyIdentifier=hash
 # authorityKeyIdentifier=keyid,issuer
 # subjectAltName=email:move
 # EOF

 ## Make server keys
 # export FQDN="your.server.fqdn"
 # openssl genrsa -out server.pem 2048
 # openssl req -new -subj "/CN=$FQDN" -key server.pem -out server.req
 # openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:$FQDN"))
 ## Copy server.crt to your droplet in /etc/ipsec.d/certs/server.crt
 ## Copy root.crt to your droplet in /etc/ipsec.d/cacerts/root.crt
 ## Copy server.pem to your droplet in /etc/ipsec.d/private/server.pem
 ## Add ": RSA server.pem" to /etc/ipsec.secrets
 ## Clean up:
 # rm server.pem server.req

 ## User certificate request
 # openssl req -newkey rsa:2048 -new -subj "/[email protected]/[email protected]" -keyout user.pem -out user.req
 ## send user.req to your CA machine

 ## On your CA machine
 # openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
 ## send user.crt and root.crt back to your user/user machine

 ## On your user machine
 ## Makes a bundle of your cert and secret key
 # openssl pkcs12 -export -out user.p12 -inkey user.pem -in user.crt
 ## This should now be importable in OSX

 ## Finally, set up your user machine as an IKEv2 IPSec client.
 ## Note that OSX presents user settings as "Certificate" "Username" and "None". Choose "None".
 ## After you've chosen "None", you can select a certificate anyway. This is a different option than the
 ## menu item. Choose your user certificate.
 ## Set the "Remote ID" to the server's fqdn as per the certificate.
 ## Set the "local ID" to the user's email address, as per the certificate.
 ca root
     cacert=root.crt
     auto=add

 config setup
 	# strictcrlpolicy=yes
 	# uniqueids = no

 conn vpn
     keyexchange=ikev2
     leftauth=pubkey
     leftcert=server.crt
     leftid="@your.server.fqdn"
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     rightauth=pubkey
     rightca="CN=My VPN root"
     rightdns=8.8.8.8
     rightsourceip=10.0.99.0/24
     auto=add
	## Install strongswan and use this config file

	## How to do key management:
	## Make a root CRT. Do this on a secure machine, not the VPN endpoint.
	# openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=My VPN root" -out root.crt
	## Make a conf file
	# cat > openssl.cnf << EOF
	# [ usr_cert ]
	# basicConstraints=CA:FALSE
	# nsComment = "OpenSSL Generated Certificate"
	# subjectKeyIdentifier=hash
	# authorityKeyIdentifier=keyid,issuer
	# subjectAltName=email:move
	# EOF

	## Make server keys
	# export FQDN="your.server.fqdn"
	# openssl genrsa -out server.pem 2048
	# openssl req -new -subj "/CN=$FQDN" -key server.pem -out server.req
	# openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:$FQDN"))
	## Copy server.crt to your droplet in /etc/ipsec.d/certs/server.crt
	## Copy root.crt to your droplet in /etc/ipsec.d/cacerts/root.crt
	## Copy server.pem to your droplet in /etc/ipsec.d/private/server.pem
	## Add ": RSA server.pem" to /etc/ipsec.secrets
	## Clean up:
	# rm server.pem server.req

	## User certificate request
	# openssl req -newkey rsa:2048 -new -subj "/[email protected]/[email protected]" -keyout user.pem -out user.req
	## send user.req to your CA machine

	## On your CA machine
	# openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
	## send user.crt and root.crt back to your user/user machine

	## On your user machine
	## Makes a bundle of your cert and secret key
	# openssl pkcs12 -export -out user.p12 -inkey user.pem -in user.crt
	## This should now be importable in OSX

	## Finally, set up your user machine as an IKEv2 IPSec client.
	## Note that OSX presents user settings as "Certificate" "Username" and "None". Choose "None".
	## After you've chosen "None", you can select a certificate anyway. This is a different option than the
	## menu item. Choose your user certificate.
	## Set the "Remote ID" to the server's fqdn as per the certificate.
	## Set the "local ID" to the user's email address, as per the certificate.
	ca root
	cacert=root.crt
	auto=add

	config setup
	# strictcrlpolicy=yes
	# uniqueids = no

	conn vpn
	keyexchange=ikev2
	leftauth=pubkey
	leftcert=server.crt
	leftid="@your.server.fqdn"
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	rightauth=pubkey
	rightca="CN=My VPN root"
	rightdns=8.8.8.8
	rightsourceip=10.0.99.0/24
	auto=add