| .. | ||
| before.rules | ||
| hosts.yml | ||
| ipsec.conf | ||
| onprem.yml | ||
| readme.md | ||
| serverbuild.yml | ||
| sysctl.conf | ||
| vpnBuild.yml | ||
serverbuild
this is a mess of a directory right now. sorry about that.
ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
This tells sswan to log daemon statuses for debugging and allow duplicate connections
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
This starts the VPN config stanza. Use IKEv2 VPN tunnels and load this config everytime we start up.
dpdaction=clear
dpddelay=300s
rekey=no
This clears any weird connections (i.e. if a client gets unexpectedly dced)
left=%any
leftid=@vpn.awful.club
leftcert=awful-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
in strongswan grammer, "left" refers to serverside, apparently. this section is pretty selfexplanatory. The exception to that is %any i've got no fucking clue what that is.
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1,1.0.0.1
rightsendcert=never
"right" side is client side.
eap_identity=%identity
this tells sswan to always ask for un/pw on connect (eap.) ((also eeeep))
ipsec.secrets
this file contains: secrets, for the love of god change the values.
: RSA "server-key.pem" declares wheere the private key lives and what algo was used
your_username : EAP "your_password" is very obvious.