clivetyphon · August 23, 2024 05:11 · Jun 11, 2017 · Jun 11, 2017 · Jun 11, 2017 · Jun 11, 2017
diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -9,7 +9,7 @@ The goal here is to provide quick and easy but secure client VPN that can be con
  - Windows
  - OSX
 
-[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an super easy client VPN solution to roll out to inexperienced and non-technical users, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview), try this alternative. VPN server setup is also very quick and easy in this implementation.
+[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want a super easy client VPN solution to roll out to inexperienced and non-technical remote access users, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview), try this alternative. VPN server setup is also very quick and easy in this implementation.
 
 In the examples, the following assumptions have been made:
  - [OpenWrt](https://wiki.openwrt.org/doc/howto/vpn.ipsec.basics) is the gateway VPN server (any Linux box can be used, just install `strongswan` using the appropriate package manager).

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -1,4 +1,4 @@
-# Easy client VPN for all major platforms using Strongswan IPsec
+# Easy client VPN for all major platforms using strongSwan IPsec
 
 ## Overview
 
@@ -20,12 +20,12 @@ In the examples, the following assumptions have been made:
 VPN configuration choices:
  - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 gains adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
- - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
+ - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, strongSwans XAUTH works well.
  - Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and faster connectivity for VPN clients who may need simultaneous LAN and internet access.
 
 ## Install packages on server/gateway
 
-Install strongswan:
+Install strongSwan:
 ```
 # opkg update
 # opkg install strongswan-full
@@ -40,7 +40,7 @@ As I prefer to tinker with different configurations, I install the full package.
 
 ## Configure server/gateway
 There are 4 files to configure:
-1. `/etc/strongswan.conf`: Strongswan configuration file
+1. `/etc/strongswan.conf`: strongSwan configuration file
 2. `/etc/ipsec.conf`: Tunnel definitions
 3. `/etc/ipsec.secrets`: List of secrets and keys
 4. `/etc/config/firewall`: Firewall changes to allow VPN traffic
@@ -64,7 +64,7 @@ libstrongswan {
 
 ### /etc/ipsec.conf
 
-This is the heart of the strongswan configuration. There are literally hundreds of thousands of connection configurations possible by adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but do take the time to gain a basic understanding of the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
+This is the heart of the strongSwan configuration. There are literally hundreds of thousands of connection configurations possible by adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but do take the time to gain a basic understanding of the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
 
 To keep things modular, break up config sections and inherit parameters with `also=conn-name`. In this example, I have a `roadwarrior-base` for all client VPN as I have other connections available. I also may have site-to-site VPN configured so have any common parameters to all connections in `conn %default`.
 ```
@@ -102,7 +102,7 @@ conn rw-ikev1-psk-xauth-splittun
 
 If you want full tunnel for added security, replace `leftsubnet=10.1.1.0/24` with `leftsubnet=0.0.0.0/0`.
 
-If you want to try IKEv2, you can use the following config. You'll need to install the [strongswan app for Android](https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en).
+If you want to try IKEv2, you can use the following config. You'll need to install the [strongSwan app for Android](https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en).
 Native iOS IKEv2 only allows certificate OR username/password OR PSK, not a combination, to keep things simple I've chosen PSK authentication:
 ```
 # stronger faster ikev2 but not supported on Android yet
@@ -114,7 +114,7 @@ conn rw-ikev2-psk-splittun
         authby=secret 
 ```
 
-Without blowing your mind, for many more examples, head to the [strongswan website](https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples).
+Without blowing your mind, for many more examples, head to the [strongSwan website](https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples).
 
 ```
 conn rw-ikev2-psk-xauth-splittun                                   

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -18,7 +18,7 @@ In the examples, the following assumptions have been made:
  - The virtual IP address pool for VPN clients is `10.1.2.0/16`
 
 VPN configuration choices:
- - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
+ - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 gains adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
  - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
  - Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and faster connectivity for VPN clients who may need simultaneous LAN and internet access.

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -12,7 +12,7 @@ The goal here is to provide quick and easy but secure client VPN that can be con
 [OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an super easy client VPN solution to roll out to inexperienced and non-technical users, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview), try this alternative. VPN server setup is also very quick and easy in this implementation.
 
 In the examples, the following assumptions have been made:
- - OpenWrt is the gateway VPN server (any Linux box can be used, just install `strongswan` using the appropriate package manager).
+ - [OpenWrt](https://wiki.openwrt.org/doc/howto/vpn.ipsec.basics) is the gateway VPN server (any Linux box can be used, just install `strongswan` using the appropriate package manager).
  - The gateway router has WAN side FQDN is `gateway.example.com`. If no FQDN, just substitute for the IP address.
  - The gateway inside LAN to be accessed is `10.1.1.0/24`
  - The virtual IP address pool for VPN clients is `10.1.2.0/16`

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -9,9 +9,7 @@ The goal here is to provide quick and easy but secure client VPN that can be con
  - Windows
  - OSX
 
-The configuration should provide strong security but also be super simple for clients to configure, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview).
-
-[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an easy client VPN solution to roll out to inexperienced and non-technical users, try this alternative. VPN server setup is also very quick and easy in this version.
+[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an super easy client VPN solution to roll out to inexperienced and non-technical users, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview), try this alternative. VPN server setup is also very quick and easy in this implementation.
 
 In the examples, the following assumptions have been made:
  - OpenWrt is the gateway VPN server (any Linux box can be used, just install `strongswan` using the appropriate package manager).

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -47,7 +47,7 @@ There are 4 files to configure:
 3. `/etc/ipsec.secrets`: List of secrets and keys
 4. `/etc/config/firewall`: Firewall changes to allow VPN traffic
 
-## strongswan.conf
+### /etc/strongswan.conf
 ```
 charon {
         threads = 16
@@ -64,7 +64,7 @@ libstrongswan {
 }
 ```
 
-## ipsec.conf
+### /etc/ipsec.conf
 
 This is the heart of the strongswan configuration. There are literally hundreds of thousands of connection configurations possible by adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but do take the time to gain a basic understanding of the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
 
@@ -126,7 +126,7 @@ conn rw-ikev2-psk-xauth-splittun
         authby=secret
 ```
 
-### ipsec.secrets
+### /etc/ipsec.secrets
 There are more secure ways of storing passwords than in plain text on the VPN server but this exercise we will drop them in the `/etc/ipsec.secrets` file:
 
 ```

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -1,5 +1,7 @@
 # Easy client VPN for all major platforms using Strongswan IPsec
 
+## Overview
+
 The goal here is to provide quick and easy but secure client VPN that can be configured natively without any additional software on:
  - Linux
  - iOS

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -64,7 +64,7 @@ libstrongswan {
 
 ## ipsec.conf
 
-This is the heart of the strongswan configuration. There are literally hundreds of thousands of connection configurations possible based on the adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but take the time to understand the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
+This is the heart of the strongswan configuration. There are literally hundreds of thousands of connection configurations possible by adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but do take the time to gain a basic understanding of the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
 
 To keep things modular, break up config sections and inherit parameters with `also=conn-name`. In this example, I have a `roadwarrior-base` for all client VPN as I have other connections available. I also may have site-to-site VPN configured so have any common parameters to all connections in `conn %default`.
 ```

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -21,7 +21,7 @@ VPN configuration choices:
  - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
  - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
- - Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and quicker web browsing for VPN clients who may need simltaneous LAN and internet access.
+ - Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and faster connectivity for VPN clients who may need simultaneous LAN and internet access.
 
 ## Install packages on server/gateway
 

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -21,7 +21,7 @@ VPN configuration choices:
  - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
  - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
- - Split tunnel: While split tunnel creates a security risk in that the client could create a bridge, you can easily create a bridge with full tunnel anyway 
+ - Split tunnel: While split tunnel creates a potential security risk in that the client could create a bridge, you can trick the client OS and create a bridge with a full tunnel anyway. Split tunnel prevents unnecessary load on the gateway and quicker web browsing for VPN clients who may need simltaneous LAN and internet access.
 
 ## Install packages on server/gateway
 

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -20,7 +20,7 @@ In the examples, the following assumptions have been made:
 VPN configuration choices:
  - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
- - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without using a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
+ - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without issuing a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
  - Split tunnel: While split tunnel creates a security risk in that the client could create a bridge, you can easily create a bridge with full tunnel anyway 
 
 ## Install packages on server/gateway

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -18,7 +18,7 @@ In the examples, the following assumptions have been made:
  - The virtual IP address pool for VPN clients is `10.1.2.0/16`
 
 VPN configuration choices:
- - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existant on Android). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
+ - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existent on Android at time of writing). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
  - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
  - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without using a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
  - Split tunnel: While split tunnel creates a security risk in that the client could create a bridge, you can easily create a bridge with full tunnel anyway 

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -19,7 +19,7 @@ In the examples, the following assumptions have been made:
 
 VPN configuration choices:
  - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existant on Android). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
- - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can can copied from an email and pasted into the editor.
+ - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can be easily typed or copied from an email and pasted into the native VPN editor.
  - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without using a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
  - Split tunnel: While split tunnel creates a security risk in that the client could create a bridge, you can easily create a bridge with full tunnel anyway 
 

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -9,10 +9,10 @@ The goal here is to provide quick and easy but secure client VPN that can be con
 
 The configuration should provide strong security but also be super simple for clients to configure, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview).
 
-[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an easy client VPN solution to roll out to inexperienced and non-technical users, try this alternative.
+[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an easy client VPN solution to roll out to inexperienced and non-technical users, try this alternative. VPN server setup is also very quick and easy in this version.
 
 In the examples, the following assumptions have been made:
- - OpenWrt is the gateway VPN server (any Linux box can be used, just install using the appropriate package manager).
+ - OpenWrt is the gateway VPN server (any Linux box can be used, just install `strongswan` using the appropriate package manager).
  - The gateway router has WAN side FQDN is `gateway.example.com`. If no FQDN, just substitute for the IP address.
  - The gateway inside LAN to be accessed is `10.1.1.0/24`
  - The virtual IP address pool for VPN clients is `10.1.2.0/16`

diff --git a/easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan.md
@@ -6,6 +6,7 @@ The goal here is to provide quick and easy but secure client VPN that can be con
  - Android
  - Windows
  - OSX
+
 The configuration should provide strong security but also be super simple for clients to configure, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview).
 
 [OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an easy client VPN solution to roll out to inexperienced and non-technical users, try this alternative.

diff --git a/easy-client-vpn-strongswan → easy-client-vpn-strongswan.md b/easy-client-vpn-strongswan → easy-client-vpn-strongswan.md
diff --git a/easy-client-vpn-strongswan b/easy-client-vpn-strongswan
@@ -0,0 +1,207 @@
+# Easy client VPN for all major platforms using Strongswan IPsec
+
+The goal here is to provide quick and easy but secure client VPN that can be configured natively without any additional software on:
+ - Linux
+ - iOS
+ - Android
+ - Windows
+ - OSX
+The configuration should provide strong security but also be super simple for clients to configure, similar to the philsophy of [Cisco Meraki client VPN](https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview).
+
+[OpenWrt IPsec Road Warrior Configuration](https://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) by tmomas is an excellent resource for configuring client VPN. However, if you want an easy client VPN solution to roll out to inexperienced and non-technical users, try this alternative.
+
+In the examples, the following assumptions have been made:
+ - OpenWrt is the gateway VPN server (any Linux box can be used, just install using the appropriate package manager).
+ - The gateway router has WAN side FQDN is `gateway.example.com`. If no FQDN, just substitute for the IP address.
+ - The gateway inside LAN to be accessed is `10.1.1.0/24`
+ - The virtual IP address pool for VPN clients is `10.1.2.0/16`
+
+VPN configuration choices:
+ - IKEv1: While IKEv2 is better, faster and stronger, native support on many platforms is still limited (and non-existant on Android). As soon as IKEv2 realises adequate support across all of the main platforms, I would switch to it straight away.
+ - Pre-shared key: Certificates are hard to set up on the client and hard to maintain. A PSK, on the other hand, can can copied from an email and pasted into the editor.
+ - XAUTH: Adds an extra layer of security, so that client access can be quickly revoked without using a new PSK. L2TP requires additional packages and configuration and is non-intuitive on OpenWrt, Strongswans XAUTH works well.
+ - Split tunnel: While split tunnel creates a security risk in that the client could create a bridge, you can easily create a bridge with full tunnel anyway 
+
+## Install packages on server/gateway
+
+Install strongswan:
+```
+# opkg update
+# opkg install strongswan-full
+```
+
+If you are light on storage, the minimum number of modules can be installed with:
+```
+opkg install strongswan-default strongswan-mod-xxx strongswan-mod-yyy...
+```
+
+As I prefer to tinker with different configurations, I install the full package.
+
+## Configure server/gateway
+There are 4 files to configure:
+1. `/etc/strongswan.conf`: Strongswan configuration file
+2. `/etc/ipsec.conf`: Tunnel definitions
+3. `/etc/ipsec.secrets`: List of secrets and keys
+4. `/etc/config/firewall`: Firewall changes to allow VPN traffic
+
+## strongswan.conf
+```
+charon {
+        threads = 16
+        dns1 = 10.1.1.1
+        nbns1 = 10.1.1.1
+}
+pluto {
+
+}
+libstrongswan {
+        crypto_test {
+                on_add = yes
+        }
+}
+```
+
+## ipsec.conf
+
+This is the heart of the strongswan configuration. There are literally hundreds of thousands of connection configurations possible based on the adjusting the connection parameters, which can be daunting. You don't have to understand every parameter option but take the time to understand the [IPsec protocol suite](https://en.wikipedia.org/wiki/IPsec), [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the various authentication methods.
+
+To keep things modular, break up config sections and inherit parameters with `also=conn-name`. In this example, I have a `roadwarrior-base` for all client VPN as I have other connections available. I also may have site-to-site VPN configured so have any common parameters to all connections in `conn %default`.
+```
+conn %default                 
+        ikelifetime=60m         
+        keylife=20m           
+        rekeymargin=3m                                
+        keyingtries=1              
+
+conn roadwarrior-base        
+        left=%any                                           
+        [email protected]
+        leftfirewall=yes
+        right=%any
+        rightsourceip=10.1.2.0/16
+        auto=add
+
+# iOS, Android, Linux and Windows friendly remote access VPN
+# need keyexchange=ikev1 as Android doesnt support ikev2
+# leftsubnet is inside LAN only for split tunnelling or 0.0.0.0/0 for full tunnel
+# save on data usage and just use local subnet, less secure though
+# rightsourceip is the VPN address pool
+# 2-step security:
+# 1. pre-shared key
+# 2. xauth
+# use vitual IP address pool to control VPN clients 'rightsourceip'
+conn rw-ikev1-psk-xauth-splittun
+        also=roadwarrior-base
+        keyexchange=ikev1
+        leftsubnet=10.1.1.0/24,::/0
+        leftauth=psk
+        rightauth=psk
+        rightauth2=xauth
+```
+
+If you want full tunnel for added security, replace `leftsubnet=10.1.1.0/24` with `leftsubnet=0.0.0.0/0`.
+
+If you want to try IKEv2, you can use the following config. You'll need to install the [strongswan app for Android](https://play.google.com/store/apps/details?id=org.strongswan.android&hl=en).
+Native iOS IKEv2 only allows certificate OR username/password OR PSK, not a combination, to keep things simple I've chosen PSK authentication:
+```
+# stronger faster ikev2 but not supported on Android yet
+# auth with pre-shared key
+conn rw-ikev2-psk-splittun                                   
+        also=roadwarrior-base   
+        keyexchange=ikev2    
+        leftsubnet=10.1.1.0/24,::/0                     
+        authby=secret 
+```
+
+Without blowing your mind, for many more examples, head to the [strongswan website](https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples).
+
+```
+conn rw-ikev2-psk-xauth-splittun                                   
+        also=roadwarrior-base   
+        keyexchange=ikev2    
+        leftsubnet=10.1.1.0/24,::/0                       
+        authby=secret
+```
+
+### ipsec.secrets
+There are more secure ways of storing passwords than in plain text on the VPN server but this exercise we will drop them in the `/etc/ipsec.secrets` file:
+
+```
+# pre-shared key
+gateway.example.com %any : PSK "my super secret pre-shared key goes here"
+
+# XAUTH
+[email protected] : XAUTH "password 1"
+[email protected] : XAUTH "password 2"
+```
+### firewall
+We need to edit the firewall rules to allow the following incoming traffic:
+ - UDP port 500
+ - UDP port 4500
+ - Encapsulating Security Payload (ESP) IP protocol 50
+ - Authentication Header (AH) IP protocol 51
+
+Make sure if the VPN server is behind a NAT router, the device has port forwards set up. UDP 500 and UDP 4500 should be sufficient.
+
+In OpenWrt, edit `/etc/config/firewall`:
+```
+config rule
+        option src 'wan'
+        option name 'IPSec ESP'
+        option proto 'esp'
+        option target 'ACCEPT'
+
+config rule
+        option src 'wan'
+        option name 'IPSec IKE'
+        option proto 'udp'
+        option dest_port '500'
+        option target 'ACCEPT'
+
+config rule
+        option src 'wan'
+        option name 'IPSec NAT-T'
+        option proto 'udp'
+        option dest_port '4500'
+        option target 'ACCEPT'
+
+config rule
+        option src 'wan'
+        option name 'Auth Header'
+        option proto 'ah'
+        option target 'ACCEPT'
+```
+
+## Restart services
+On Openwrt:
+```
+# /etc/init.d/ipsec restart
+```
+
+## Troubleshooting
+In a seperate ssh session, open a live log. In OpenWrt:
+```
+# logread && logread -f
+```
+
+Also check with:
+```
+# ipsec statusall
+```
+
+## Configure client VPN
+
+### Android
+TODO
+
+### iOS
+TODO
+
+### Windows
+TODO
+
+### Mac OSX
+TODO
+
+### Linux
+TODO
No results found