Nerevarishe · August 10, 2019 15:27 · Mar 30, 2017 · Mar 30, 2017 · Mar 30, 2017 · Mar 30, 2017
diff --git a/00README.md b/00README.md
@@ -188,9 +188,9 @@ The `/etc/ipsec.d/p12/$USERNAME.p12` file contains the user's private key and ce
 
 Send the `.p12` file for the user and the `/etc/ipsec.d/cacerts/strongswan.pem` file.
 
-On macOS, double-click the `.p12` file, and enter the password, to add the user's certificate and private key to the keychain using Keychain.app. In Keychain.app you should see the certificate in the My Certificates list of the login keychain, with the user id from above as its name.
+On macOS, double-click the `.p12` file, and enter the password, to add the user's certificate and private key to the keychain using Keychain Access.app. In Keychain Access.app you should see the certificate in the My Certificates list of the login keychain, with the user id from above as its name.
 
-Double-click the `.pem` file to add our CA certificate to the keychain using Keychain.app. Find the CA certificate in the Certificates list of the login keychain, named with your organisation name followed by "Root CA". Double-click to open it. Expand the Trust section, and choose "Always Trust".
+Double-click the `.pem` file to add our CA certificate to the keychain using Keychain Access.app. Find the CA certificate in the Certificates list of the login keychain, named with your organisation name followed by "Root CA". Double-click to open it. Expand the Trust section, and choose "Always Trust".
 
 * Open the Network system preferences pane.
 * Click the + button to add a new connection.

diff --git a/00README.md b/00README.md
@@ -172,7 +172,7 @@ Then run these commands. You will be prompted for a password on the final openss
 ```
 pushd /etc/ipsec.d
 ipsec pki --gen --type rsa --size 2048 --outform der > private/$USERNAME.der
-chmod 600 private/$USERNAME-key.der
+chmod 600 private/$USERNAME.der
 ipsec pki --pub --in private/$USERNAME.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$USERID" --san "$USERID" --outform der > certs/$USERNAME.der
 openssl rsa -inform DER -in private/$USERNAME.der -out private/$USERNAME.pem -outform PEM
 openssl x509 -inform DER -in certs/$USERNAME.der -out certs/$USERNAME.pem -outform PEM

diff --git a/00README.md b/00README.md
@@ -51,7 +51,7 @@ Edit `/etc/ipsec.secrets` to add the `host-vpn.der` private key we generated for
 
 ## Setup ipsec connections
 
-Copy the example `ipsec.conf` into `/etc/ipsec.conf`. Replace `<VPN SERVER ID>` with the value of `$SERVER_NAME` above. Replace `<INTERNAL SUBNET>` with the subnet you want to provide access to in your LAN. If you want to route all internet traffic, use `0.0.0.0/0`, otherwise enter something like `192.168.1.0/24`. Note that you might have trouble if LAN subnet conflicts with subnets the mobile device might otherwise be on. Replace `<LAN DNS SERVERS>` with the appropriate DNS servers for your LAN.
+Copy the example `ipsec.conf` attached to this Gist into `/etc/ipsec.conf`. Replace `<VPN SERVER ID>` with the value of `$SERVER_NAME` above. Replace `<INTERNAL SUBNET>` with the subnet you want to provide access to in your LAN. If you want to route all internet traffic, use `0.0.0.0/0`, otherwise enter something like `192.168.1.0/24`. Note that you might have trouble if LAN subnet conflicts with subnets the mobile device might otherwise be on. Replace `<LAN DNS SERVERS>` with the appropriate DNS servers for your LAN.
 
 Documentation of what the configuration in the `conn` section means: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
 

diff --git a/00README.md b/00README.md
@@ -1,4 +1,4 @@
-# strongSwan setup for Roadwarriors on macOS 10.12, iOS 10 and Windows 10
+# strongSwan setup for Road Warriors on macOS 10.12, iOS 10 and Windows 10
 
 This setup is for remote users to connect into an office/home LAN using a VPN (ipsec). This is based on (but not the same as) the strongSwan documentation and this guide: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
 

diff --git a/00README.md b/00README.md
@@ -182,6 +182,8 @@ popd
 
 The `/etc/ipsec.d/p12/$USERNAME.p12` file contains the user's private key and certificate. It is a binary file. You need to send this file to the user, and send the password (entered above) separately.
 
+## Client setup
+
 ### macOS 10.12
 
 Send the `.p12` file for the user and the `/etc/ipsec.d/cacerts/strongswan.pem` file.
@@ -254,3 +256,14 @@ Send the `.p12` file for the user and the `/etc/ipsec.d/cacerts/strongswan.der`
 * Click "Save"
 
 Then click on the VPN connection you just created and connect.
+
+If you want to route your entire internet connection over the VPN, you need to get to the advanced settings on the IPv4 and enable "Use default gateway on remote network".
+
+* Open the "Network and Sharing Center"
+* Click "Change adapter settings" (left)
+* Right-click on your VPN and choose Properties
+* Click the "Networking" tab.
+* Click "Internet Protocol Version 4 (TCP/IPv4)", then click "Properties"
+* Tick on "Use default gateway on remote network"
+* OK out of all of those screens.
+
diff --git a/00README.md b/00README.md
@@ -72,13 +72,53 @@ Documentation of what the configuration in the `conn` section means: https://wik
 * `eap_identity=%identity` For Windows 10 to work.
 * `auto=add` When strongSwan starts up it should add this connection to its list of connections available to use when a mobile user connects.
 
-## Configure the system
+## Configure the DHCP plugin
+
+If we issue remote clients IPs using our LAN's DHCP server, and the DHCP server is on the same server as the VPN, then we need a little extra configuration. Edit the `/etc/strongswan.d/charon/dhcp.conf` file, consulting the example attached to this Gist. Replace `<LAN BROADCAST ADDRESS>` with the broadcast address of your LAN.
+
+Documentation: https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
+
+## System configuration
 
 Install the `/etc/sysctl.d/99-strongswan.conf` file listed below, and make sure it's loaded:
 ```
 sysctl -p
 ```
 
+## Network configuration
+
+If your VPN server is not public on the internet, you'll need to setup port forwarding on your internet-facing router.
+
+The following ports must be forwarded to your VPN server:
+* UDP 500
+* UDP 4500 (for nat traversal)
+
+## Firewall configuration
+
+I use Shorewall to control the iptables firewall on my VPN server. Basically you just need to open UDP 500 and 4500. Here's how to do it using Shorewall.
+
+Add the following line to `/etc/shorewall/tunnels`:
+```
+ipsecnat        net     0.0.0.0/0
+```
+
+Add the following line to `/etc/shorewall/zones`, assuming that your network zone is named `net` (if not, substitute):
+```
+vpn:net ipsec   mode=tunnel mss=1024
+```
+
+Add the following line to `/etc/shorewall/hosts`, assuming that the interface your VPN is connected to is `eth0` (if not, substitute):
+```
+vpn     eth0:0.0.0.0/0
+```
+
+Then either configure the `vpn` zone using rules or an entry in `/etc/shorewall/policy`.
+
+Then restart Shorewall:
+```
+shorewall safe-restart
+```
+
 ## Control strongSwan
 
 To startup strongSwan:

diff --git a/\etc\strongswan.d\charon\dhcp.conf b/\etc\strongswan.d\charon\dhcp.conf
@@ -15,6 +15,6 @@ dhcp {
 
     # DHCP server unicast or broadcast IP address.
     # server = 255.255.255.255
-    server = <LAN_BROADCAST_ADDRESS>
+    server = <LAN BROADCAST ADDRESS>
 
 }
diff --git a/00README.md b/00README.md
@@ -61,7 +61,7 @@ Documentation of what the configuration in the `conn` section means: https://wik
 * `dpdaction=clear` When the Dead Peer Detection detects a dead peer it closes the ipsec connection
 * `dpddelay=60s` How often to send the Dead Peer Detection check if the connection is idle. Don't make this too long as some clients close the connection themselves if it is idle for much longer than this.
 * `left=%any` We don't need to know what our IP address. Just use one of our IP addresses at runtime, depending upon how the client connected.
-* `leftid=...` This is the "Remote ID" string that macOS and iOS clients use. I suggest using your server name, as above.
+* `leftid=...` This is the "Remote ID" string that macOS and iOS clients use. I suggest using your server's fully-qualified domain name, as above.
 * `leftsubnet=...` As above.
 * `leftcert=host-vpn.der` The certificate representing the server that we created above.
 * `leftsendcert=always` See https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX which notes that we should agressively send our certificate so the user doesn't need to install it.
@@ -72,15 +72,53 @@ Documentation of what the configuration in the `conn` section means: https://wik
 * `eap_identity=%identity` For Windows 10 to work.
 * `auto=add` When strongSwan starts up it should add this connection to its list of connections available to use when a mobile user connects.
 
+## Configure the system
+
+Install the `/etc/sysctl.d/99-strongswan.conf` file listed below, and make sure it's loaded:
+```
+sysctl -p
+```
+
+## Control strongSwan
+
+To startup strongSwan:
+```
+ipsec start
+```
+
+To stop it:
+```
+ipsec stop
+```
+
+To reload the configuration from `/etc/ipsec.conf` when you've made changes, but without interfering with any existing connected users:
+```
+ipsec reload
+```
+
+To restart strongSwan when you've made configuration changes, or want to bump connected users:
+```
+ipsec restart
+```
+
+To get the status of established strongSwan connections:
+```
+ipsec status
+```
+
+To get more details of strongSwan's status:
+```
+ipsec statusall
+```
+
 ## Create user certificates
 
-We use certificates to authenticate users. This works on macOS 10.12, iOS 10 and Windows 10.
+We use certificates to authenticate users. This works on macOS 10.12, iOS 10 and Windows 10. So next you need to create user certificates so that you can connect to the VPN.
 
-The username should be a string that is okay as a filename, and doesn't contain any spaces. Like a username. The user id is usually an email address.
+Set the variables first. The username should be a string that is okay as a filename, and doesn't contain any spaces. Like a username. The user id is usually an email address.
 
 Note that we store the user files in the same directories as the CA and host ones. So don't use `strongswan` as a username, or `host-vpn`, or you'll overwrite your previous files!
 
-Set these variables appropriately first:
 ```
 NAME=John Doe
 USERNAME=jdoe
@@ -103,3 +141,76 @@ popd
 ```
 
 The `/etc/ipsec.d/p12/$USERNAME.p12` file contains the user's private key and certificate. It is a binary file. You need to send this file to the user, and send the password (entered above) separately.
+
+### macOS 10.12
+
+Send the `.p12` file for the user and the `/etc/ipsec.d/cacerts/strongswan.pem` file.
+
+On macOS, double-click the `.p12` file, and enter the password, to add the user's certificate and private key to the keychain using Keychain.app. In Keychain.app you should see the certificate in the My Certificates list of the login keychain, with the user id from above as its name.
+
+Double-click the `.pem` file to add our CA certificate to the keychain using Keychain.app. Find the CA certificate in the Certificates list of the login keychain, named with your organisation name followed by "Root CA". Double-click to open it. Expand the Trust section, and choose "Always Trust".
+
+* Open the Network system preferences pane.
+* Click the + button to add a new connection.
+  * Interface: VPN
+  * VPN Type: IKEv2
+  * Service Name: A name of your choice
+  * Click "Create", then fill in the details for the connection:
+* Server Address: the fully-qualified domain name (or IP) of your VPN server
+* Remote ID: the same as the Server Address, unless you've done something different with your `leftid`
+* Local ID: the user id, and name on your user certificate, probably the email address
+* Click "Authentication Settings…"
+  * Choose "Certificate" from the dropdown for authentication settings
+  * Click "Select…" and choose the certificate matching the Local ID you entered above.
+  * Click "OK" to close the Authentication Settings sheet.
+* Click "Connect" to connect your VPN.
+
+### iOS 10
+
+One way to get the `.p12` file and CA cert (`/etc/ipsec.d/cacerts/strongswan.pem`) onto an iOS device is to put them on a web server and browse to them. Another is to use the Apple Configurator application.
+
+The web server approach is pretty easy. Browse to each file and follow the prompts to add them to your profiles.
+
+* Open the Settings app
+* Open the VPN settings
+* Tap "Add VPN Configuration…"
+  * Type: IKEv2
+  * Description: Anything here
+  * Server: the fully-qualified domain name (or IP) of your VPN server
+  * Remote ID: the same as the Server Address, unless you've done something different with your `leftid`
+  * Local ID: the user id, and name on your user certificate, probably the email address
+  * User Authentication: Certificate
+  * Certificate: choose the certificate matching the Local ID you entered above.
+  * Done
+
+You can now connect to the VPN from your iOS device.
+
+### Windows 10
+
+Send the `.p12` file for the user and the `/etc/ipsec.d/cacerts/strongswan.der` file, but rename `strongswan.der` to `strongswan.cer`. That will make it easier to use on Windows.
+
+* On Windows 10, double-click the `.p12` file to open the Certificate Import Wizard.
+* Choose "Current User" and click "Next".
+* Check the file path, and click "Next" again.
+* Enter the password for the `.p12` file that you used above. The default import options are fine (just "Include all extended properties" is ticked)
+* Choose "Automatically select the certificate store..." and click Next (it will choose the Personal certificate store, which is good).
+* Click Finish.
+
+* Open the "Manage computer certificates" control panel (use the search from the Windows menu)
+* Right-click on "Trusted Root Certification Authorities" in the tree, and choose All Tasks > Import…
+* The Store Location will be "Local Machine". If not you need to exit out of the app and make sure you are in the computer certificates control panel, not the user certificates. Click Next.
+* Browse for `strongswan.cer`. Click Next. (If the file is named `strongswan.der`, then you'll need to change the file type dropdown to All Files)
+* The certificate store option will be the specific store, "Trusted Root Certification Authoritities". Click Next.
+* Click Finish.
+
+* Open the "Change virtual private networks (VPN)" control panel.
+* Click the "Add a VPN connection" button
+* VPN provider: Windows (built-in)
+* Connection name: A name of your choice
+* Server name or address: the fully-qualified domain name (or IP) of your VPN server
+* VPN type: IKEv2
+* Type of sign-in info: Certificate
+* User name and Password can stay blank
+* Click "Save"
+
+Then click on the VPN connection you just created and connect.
diff --git a/\etc\sysctl.d\99-vpn.conf → \etc\sysctl.d\99-strongswan.conf b/\etc\sysctl.d\99-vpn.conf → \etc\sysctl.d\99-strongswan.conf
diff --git a/00README.md b/00README.md
@@ -41,30 +41,65 @@ ipsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifet
 
 ipsec pki --print --in certs/host-vpn.der
 
+mkdir -p p12
 popd
 ```
 
 Note: if you want to use "Remote ID" to let clients choose between connection profiles, then you need to add them as SANs above, as strongSwan will only let you use `leftids` that are named in your host cert.
 
+Edit `/etc/ipsec.secrets` to add the `host-vpn.der` private key we generated for the host above (see the example file in this Gist).
+
+## Setup ipsec connections
+
+Copy the example `ipsec.conf` into `/etc/ipsec.conf`. Replace `<VPN SERVER ID>` with the value of `$SERVER_NAME` above. Replace `<INTERNAL SUBNET>` with the subnet you want to provide access to in your LAN. If you want to route all internet traffic, use `0.0.0.0/0`, otherwise enter something like `192.168.1.0/24`. Note that you might have trouble if LAN subnet conflicts with subnets the mobile device might otherwise be on. Replace `<LAN DNS SERVERS>` with the appropriate DNS servers for your LAN.
+
+Documentation of what the configuration in the `conn` section means: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
+
+* `keyexchange=ikev2` We use the modern key exchange protocol. This works on all of the platforms we want to support.
+* `ike=...` A list of cipher suites as recommended by the guide linked above
+* `esp=...` ditto
+* `dpdaction=clear` When the Dead Peer Detection detects a dead peer it closes the ipsec connection
+* `dpddelay=60s` How often to send the Dead Peer Detection check if the connection is idle. Don't make this too long as some clients close the connection themselves if it is idle for much longer than this.
+* `left=%any` We don't need to know what our IP address. Just use one of our IP addresses at runtime, depending upon how the client connected.
+* `leftid=...` This is the "Remote ID" string that macOS and iOS clients use. I suggest using your server name, as above.
+* `leftsubnet=...` As above.
+* `leftcert=host-vpn.der` The certificate representing the server that we created above.
+* `leftsendcert=always` See https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX which notes that we should agressively send our certificate so the user doesn't need to install it.
+* `right=%any` Our mobile users could have any IP address
+* `rightauth=eap-tls` This activates user authentication on the client. More below.
+* `rightsourceip=%dhcp` Use our network's DHCP server to issue an IP address. You can also just give a subnet here, or an IP address range, e.g. `10.1.1.50-10.1.1.70`
+* `rightdns=...` DNS servers to give to the mobile user. Probably the same DNS servers you use on your LAN.
+* `eap_identity=%identity` For Windows 10 to work.
+* `auto=add` When strongSwan starts up it should add this connection to its list of connections available to use when a mobile user connects.
 
 ## Create user certificates
 
+We use certificates to authenticate users. This works on macOS 10.12, iOS 10 and Windows 10.
+
 The username should be a string that is okay as a filename, and doesn't contain any spaces. Like a username. The user id is usually an email address.
 
 Note that we store the user files in the same directories as the CA and host ones. So don't use `strongswan` as a username, or `host-vpn`, or you'll overwrite your previous files!
 
-
+Set these variables appropriately first:
 ```
-USERNAME=XXXX
-[email protected]
+NAME=John Doe
+USERNAME=jdoe
+[email protected]
 COUNTRY_CODE=XX
 ORGANISATION=XXXXX
+```
 
+Then run these commands. You will be prompted for a password on the final openssl command. This password protects the `.p12` file that contains the private key and certificate for the user. I suggest making up a random password for each `.p12` file.
+
+```
 pushd /etc/ipsec.d
 ipsec pki --gen --type rsa --size 2048 --outform der > private/$USERNAME.der
 chmod 600 private/$USERNAME-key.der
 ipsec pki --pub --in private/$USERNAME.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$USERID" --san "$USERID" --outform der > certs/$USERNAME.der
+openssl rsa -inform DER -in private/$USERNAME.der -out private/$USERNAME.pem -outform PEM
+openssl x509 -inform DER -in certs/$USERNAME.der -out certs/$USERNAME.pem -outform PEM
+openssl pkcs12 -export -inkey private/$USERNAME.pem -in certs/$USERNAME.pem -name "$NAME's VPN Certificate" -certfile cacerts/strongswan.pem -caname "$ORGANISATION Root CA" -out p12/$USERNAME.p12
 popd
 ```
 
-In `ipsec.conf` replace `<VPN_SERVER_ID>` with the 
+The `/etc/ipsec.d/p12/$USERNAME.p12` file contains the user's private key and certificate. It is a binary file. You need to send this file to the user, and send the password (entered above) separately.
diff --git a/\etc\ipsec.conf b/\etc\ipsec.conf
@@ -8,14 +8,14 @@ conn roadwarrior
     dpdaction=clear
     dpddelay=60s
     left=%any
-    leftid=<VPN_SERVER_ID>
+    leftid=<VPN SERVER ID>
     #leftsubnet=0.0.0.0/0
     leftsubnet=<INTERNAL SUBNET>
-    leftcert=vpnHostCert.der
+    leftcert=host-vpn.der
     leftsendcert=always
     right=%any
     rightauth=eap-tls
     rightsourceip=%dhcp
-    rightdns=8.8.8.8,2001:4860:4860::8888
-    auto=add
-    eap_identity=%identity
+    rightdns=<LAN DNS SERVERS>
+    eap_identity=%identity
+    auto=add
diff --git a/00README.md b/00README.md
@@ -1 +1,70 @@
-# strongSwan setup for Roadwarriors on macOS 10.12, iOS 10 and Windows 10
+# strongSwan setup for Roadwarriors on macOS 10.12, iOS 10 and Windows 10
+
+This setup is for remote users to connect into an office/home LAN using a VPN (ipsec). This is based on (but not the same as) the strongSwan documentation and this guide: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
+
+I used strongSwan 5.5.1.
+
+```
+apt-get install -y strongswan strongswan-pki
+```
+
+## Create server certificate and certificate authority
+
+Replace the variables below with appropriate values for your organisation. Then copy and paste line by line.
+
+```
+COUNTRY_CODE=XX
+ORGANISATION=XXXXX
+SERVER_NAME=vpn.example.com
+IP_ADDRESS=<public ip of the vpn server>
+
+pushd /etc/ipsec.d/
+```
+
+Create self-signed certificate authority (CA):
+```
+ipsec pki --gen --type rsa --size 4096 --outform der > private/strongswan.der
+chmod 600 private/strongswan.der
+
+ipsec pki --self --ca --lifetime 3650 --in private/strongswan.der --type rsa --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$ORGANISATION Root CA" --outform der > cacerts/strongswan.der
+openssl x509 -inform DER -in cacerts/strongswan.der -out cacerts/strongswan.pem -outform PEM
+
+ipsec pki --print --in cacerts/strongswan.der
+```
+
+Create host key:
+```
+ipsec pki --gen --type rsa --size 4096 --outform der > private/host-vpn.der
+chmod 600 private/host-vpn.der
+
+ipsec pki --pub --in private/host-vpn.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$SERVER_NAME" --san=$SERVER_NAME --san $IP_ADDRESS  --san @$IP_ADDRESS --flag serverAuth --flag ikeIntermediate --outform der > certs/host-vpn.der
+
+ipsec pki --print --in certs/host-vpn.der
+
+popd
+```
+
+Note: if you want to use "Remote ID" to let clients choose between connection profiles, then you need to add them as SANs above, as strongSwan will only let you use `leftids` that are named in your host cert.
+
+
+## Create user certificates
+
+The username should be a string that is okay as a filename, and doesn't contain any spaces. Like a username. The user id is usually an email address.
+
+Note that we store the user files in the same directories as the CA and host ones. So don't use `strongswan` as a username, or `host-vpn`, or you'll overwrite your previous files!
+
+
+```
+USERNAME=XXXX
+[email protected]
+COUNTRY_CODE=XX
+ORGANISATION=XXXXX
+
+pushd /etc/ipsec.d
+ipsec pki --gen --type rsa --size 2048 --outform der > private/$USERNAME.der
+chmod 600 private/$USERNAME-key.der
+ipsec pki --pub --in private/$USERNAME.der --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswan.der --cakey private/strongswan.der --dn "C=$COUNTRY_CODE, O=$ORGANISATION, CN=$USERID" --san "$USERID" --outform der > certs/$USERNAME.der
+popd
+```
+
+In `ipsec.conf` replace `<VPN_SERVER_ID>` with the 
diff --git a/\etc\ipsec.conf b/\etc\ipsec.conf
@@ -1,5 +1,5 @@
 config setup
-    charondebug="all"
+    #charondebug="all"
 
 conn roadwarrior
     keyexchange=ikev2
@@ -8,7 +8,7 @@ conn roadwarrior
     dpdaction=clear
     dpddelay=60s
     left=%any
-    leftid=<VPN_SERVER_IP>
+    leftid=<VPN_SERVER_ID>
     #leftsubnet=0.0.0.0/0
     leftsubnet=<INTERNAL SUBNET>
     leftcert=vpnHostCert.der

diff --git a/\etc\ipsec.secrets b/\etc\ipsec.secrets
@@ -0,0 +1,6 @@
+# This file holds shared secrets or RSA private keys for authentication.
+
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.
+
+: RSA host-vpn.der
diff --git a/\etc\strongswan.d\charon\dhcp.conf b/\etc\strongswan.d\charon\dhcp.conf
@@ -15,6 +15,6 @@ dhcp {
 
     # DHCP server unicast or broadcast IP address.
     # server = 255.255.255.255
-    server = 10.1.255.255
+    server = <LAN_BROADCAST_ADDRESS>
 
 }
diff --git a/ipsec.conf → \etc\ipsec.conf b/ipsec.conf → \etc\ipsec.conf
diff --git a/dhcp.conf → \etc\strongswan.d\charon\dhcp.conf b/dhcp.conf → \etc\strongswan.d\charon\dhcp.conf
diff --git a/\etc\sysctl.d\99-vpn.conf b/\etc\sysctl.d\99-vpn.conf
@@ -0,0 +1,2 @@
+# IP forwarding so VPN can forward to and from the VPN to the local lan, and internet
+net.ipv4.ip_forward=1
diff --git a/strongswan-roadwarrior.md → 00README.md b/strongswan-roadwarrior.md → 00README.md
diff --git a/dhcp.conf b/dhcp.conf
@@ -0,0 +1,20 @@
+dhcp {
+
+    # Always use the configured server address.
+    force_server_address = yes
+
+    # Derive user-defined MAC address from hash of IKE identity.
+    #identity_lease = no
+
+    # Interface name the plugin uses for address allocation.
+    # interface =
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # DHCP server unicast or broadcast IP address.
+    # server = 255.255.255.255
+    server = 10.1.255.255
+
+}
diff --git a/ipsec.conf b/ipsec.conf
@@ -0,0 +1,21 @@
+config setup
+    charondebug="all"
+
+conn roadwarrior
+    keyexchange=ikev2
+    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
+    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
+    dpdaction=clear
+    dpddelay=60s
+    left=%any
+    leftid=<VPN_SERVER_IP>
+    #leftsubnet=0.0.0.0/0
+    leftsubnet=<INTERNAL SUBNET>
+    leftcert=vpnHostCert.der
+    leftsendcert=always
+    right=%any
+    rightauth=eap-tls
+    rightsourceip=%dhcp
+    rightdns=8.8.8.8,2001:4860:4860::8888
+    auto=add
+    eap_identity=%identity
diff --git a/strongswan-roadwarrior.md b/strongswan-roadwarrior.md
@@ -0,0 +1 @@
+# strongSwan setup for Roadwarriors on macOS 10.12, iOS 10 and Windows 10
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# IP forwarding so VPN can forward to and from the VPN to the local lan, and internet
		net.ipv4.ip_forward=1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# strongSwan setup for Roadwarriors on macOS 10.12, iOS 10 and Windows 10