libreswan ipsec.conf

setup.sh

#!/bin/bash -euxo pipefail

PUBLIC_IP=$1
OUT_DIR=${PWD}/out
ETC_DIR=${OUT_DIR}/etc

mkdir -p ${ETC_DIR}/ipsec.d


cat >> ${ETC_DIR}/ipsec.conf <<EOF
conn ikev2-cp
  left=%defaultroute
  leftcert=$PUBLIC_IP
  leftid=@$PUBLIC_IP
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike-frag=yes
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
EOF

## For 3.19-3.22
cat >> ${ETC_DIR}/ipsec.conf <<EOF
  modecfgdns1=8.8.8.8
  modecfgdns2=8.8.4.4
  encapsulation=yes
EOF

## Generate the server certificate
certutil -z <(head -c 1024 /dev/urandom) \
  -S -x -n "IKEv2 VPN CA" \
  -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
  -k rsa -g 4096 -v 36 \
  -d sql:${ETC_DIR}/ipsec.d -t "CT,," -2

## Generate the client certificate
certutil -z <(head -c 1024 /dev/urandom) \
  -S -c "IKEv2 VPN CA" -n "vpnclient" \
  -s "O=IKEv2 VPN,CN=vpnclient" \
  -k rsa -g 4096 -v 36 \
  -d sql:${ETC_DIR}/ipsec.d -t ",," \
  --keyUsage digitalSignature,keyEncipherment \
  --extKeyUsage serverAuth,clientAuth -8 "vpnclient"


pk12util -o ${OUT_DIR}/vpnclient.p12 -n "vpnclient" -d sql:${ETC_DIR}/ipsec.d

## (For macOS and iOS clients) Export the CA certificate as vpnca.cer:
certutil -L -d sql:${ETC_DIR}/ipsec.d -n "IKEv2 VPN CA" -a -o ${OUT_DIR}/vpnca.cer

## Show Result
certutil -L -d sql:${ETC_DIR}/ipsec.d