Install Modul

• apt-get install strongswan strongswan-plugin-xauth-pam

Config

ipsec.conf

• cat /etc/ipsec.conf

conn android_vpn
   left=10.134.2.5
   leftid=@nagus.xxx.de
   leftauth=pubkey
   leftcert=/etc/letsencrypt/live/nagus.xxx.de/fullchain.pem
   leftsendcert=always
   leftsubnet=0.0.0.0/0
   right=%any
   rightauth=xauth-pam
   rightsourceip=10.79.128.0/24
   esp=aes-sha1!
   auto=add

ipsec.secrets

• cat /etc/ipsec.secrets

@nagus.xxx.de : RSA /etc/letsencrypt/live/nagus.xxx.de/privkey.pem

xauth-pam

• /etc/strongswan.d/charon/xauth-pam.conf

xauth-pam {
    load = yes
    pam_service = ipsec
}

pam.d

• cat /etc/pam.d/ipsec

auth    required        pam_listfile.so onerr=fail item=group sense=allow file=/etc/ipsec.group.allow
@include common-auth
@include common-account

group handling

add group

• groupadd vpn

user to group

• gpasswd -a xinux vpn ==ipsec.group.allow==

group.allow

• cat /etc/ipsec.group.allow

vpn

Links

• https://blog.loetzimmer.de/2017/09/ipsec-vpn-mit-strongswan-auf-debian.html