sudo apt-get -y update
sudo apt-get -y install strongswan strongswan-libcharon libcharon-extra-plugins
This download URL is found on Comodo.
sudo curl -o /etc/ipsec.d/cacerts/AddTrustExternalCARoot.pem 'https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/853/29'
Please replace my.username@ivacy.com and MyPasswordOnIvacy with your username and password to Ivacy, usla1 with the VPN server you'd like to connect to.
/etc/ipsec.secrets:
my.username@ivacy.com : EAP "MyPasswordOnIvacy"
/etc/ipsec.conf:
conn ivacy-usla1
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
eap_identity="my.username@ivacy.com"
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=usla1.dns2use.com
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%*.dns2use.com
rightca=/etc/ipsec.d/cacerts/AddTrustExternalCARoot.pem
type=tunnel
auto=add
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha256,aes256-sha1,3des-sha1!
/etc/strongswan.d/charon/constraints.conf:
constraints {
load = no
}
Points:
my.username@ivacy.com : EAP "MyPasswordOnIvacy": pay attention to the spaces.rightauth=pubkey: use public-key to authenticate the server.rightid=%*.dns2use.com: the server's certificate must have*.dns2use.comin SubjectAltName. strongSwan does not support wildcard.rightca=...AddTrustExternalCARoot.pem: the server's certificate must be signed byAddTrustExternalCARoot.pem.ike=...andesp=...: the IKE algorithms supported by the server, and we are mimicking an Apple device.
sudo ipsec restart
sudo ipsec on ivacy-usla1
sudo ipsec down ivacy-usla1
ip rule list
ip route list table 220
Can you share your latest configuration files? The new version has a different way of writing. I'm having problems with the certificate not being validated.