Table of Contents
VPN
We use strongSwan, in particular the IKEv2 EAP-MD5 with pubkey authentication mechanism; no more susceptable to dictionary attacks than EAP-MSCHAPv2 anyway.
N.B. we would use EAP-TTLS, but the strongSwan Android client does not support it.
Usage
Start off by creating an account for yourself by editing:
/var/lib/strongswan/ipsec.secrets.inc
Once done, type
sudo ipsec rereadsecrets
Assuming you are using strongSwan on Android:
- open the app
- select 'Add VPN Profile'
- set the server name to
marmot.wormnet.eu
- set the VPN Type to 'IKEv2 EAP (Username/Password)' (*not* with certificate)
- set your username to `bob@wormnet.eu`
- enter in your password
- (optionally) uncheck 'Select automatically' under CA certificate and set 'Digital Signature Trust Co. (DST Root CA X3)' as the CA
- click on save
You should be able to tap the newly created profile and just connect; all your traffic should flow via marmot
now.
Troubleshooting
If you are unable to use the Android strongSwan client, or do not have an IKEv2 client, then you probably need to add an IKEv1 mechanism to the configuration. Do ask (Alex) for help if you cannot be bothered to do this yourself.
For debugging, you may find the log /var/log/daemon.log
helpful to tail -F
.