есть debian 9, на нем надо поднять strongswan, поставил пакеты
ii libcharon-extra-plugins 5.5.1-4+deb9u2 amd64 strongSwan charon library (extra plugins)
ii libstrongswan 5.5.1-4+deb9u2 amd64 strongSwan utility and crypto library
ii libstrongswan-standard-plugins 5.5.1-4+deb9u2 amd64 strongSwan utility and crypto library (standard plugins)
ii strongswan 5.5.1-4+deb9u2 all IPsec VPN solution metapackage
ii strongswan-charon 5.5.1-4+deb9u2 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-ike 5.5.1-4+deb9u2 all strongSwan Internet Key Exchange daemon (transitional package)
ii strongswan-ikev1 5.5.1-4+deb9u2 all strongSwan IKEv1 daemon, transitional package
ii strongswan-ikev2 5.5.1-4+deb9u2 all strongSwan IKEv2 daemon, transitional package
ii strongswan-libcharon 5.5.1-4+deb9u2 amd64 strongSwan charon library
ii strongswan-pki 5.5.1-4+deb9u2 amd64 strongSwan IPsec client, pki command
ii strongswan-starter 5.5.1-4+deb9u2 amd64 strongSwan daemon starter and configuration file parse
взял конфиг ipsec.conf с рабочего сервера (тестировался для iphone, macOS и windows)
conn %default
ike = aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024
esp = aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1
dpdaction = clear
# dpddelay = 35s
# dpdtimeout = 2000s
dpdtimeout = 5s
dpddelay = 5s
fragmentation = yes
# rekey = no
left = %any
leftfirewall = yes
leftsubnet = 0.0.0.0/0
leftcert = certificate.pem
leftsendcert = always
right = %any
rightsourceip = 192.168.252.0/24
rightdns = 8.8.8.8,8.8.4.4
eap_identity = %identity
# IKEv2
conn IPSec-IKEv2
keyexchange = ikev2
auto = add
# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
also = "IPSec-IKEv2"
rightauth = eap-mschapv2
# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
also = "IPSec-IKEv2"
ike = aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024
esp = aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1
rightauth = eap-mschapv2
leftid = vpn server
leftcert = certificate.pem
# Android IPsec Hybrid RSA
conn IKEv1-Xauth
keyexchange=ikev1
rightauth=xauth
auto=add
выпустил сертификат для vpn сервера через letsencrypt и сделал
cp /etc/letsencrypt/live/vpn/chain.pem /etc/ipsec.d/cacerts/ca.pem
cp /etc/letsencrypt/live/vpn/cert.pem /etc/ipsec.d/certs/certificate.pem
cp /etc/letsencrypt/live/vpn/privkey.pem /etc/ipsec.d/private/key.pem
в /etc/ipsec.secrets добавил
: RSA key.pem
user1 : EAP "pass"
сделал ipsec restart и пробую подключаться с телефона на android, выбираю ipsec hybrid rsa и вбиваю vpn сервер, логин и пароль, подключаюсь, смотрю на сервере
ipsec status
Security Associations (1 up, 0 connecting):
IKEv1-Xauth[2]: ESTABLISHED 2 seconds ago, 1.2.3.4[CN=vpn_server]...5.6.7.8[192.168.0.100]
IKEv1-Xauth{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cb2a123b_i 04384e97_o
IKEv1-Xauth{2}: 0.0.0.0/0 === 192.168.252.1/32
вроде бы все хорошо, но через 2-3 сек рвется соединение, в чем может быть проблема?