User Tools

Site Tools


This is an old revision of the document!

Table of Contents


We use strongSwan, in particular the IKEv2 EAP-MD5 with pubkey authentication mechanism; no more susceptable to dictionary attacks than EAP-MSCHAPv2 anyway.

N.B. we would use EAP-TTLS, but the strongSwan Android client does not support it.


Start off by creating an account for yourself by editing:


Assuming you are using strongSwan on Android:

  1. open the app
  2. select 'Add VPN Profile'
  3. set the server name to
  4. set the VPN Type to 'IKEv2 EAP (Username/Password)' (*not* with certificate)
  5. set your username to ``
  6. enter in your password
  7. (optionally) uncheck 'Select automatically' under CA certificate and set 'Digital Signature Trust Co. (DST Root CA X3)' as the CA
  8. click on save

You should be able to tap the newly created profile and just connect; all your traffic should flow via marmot now.


If you are unable to use the Android strongSwan client, or do not have an IKEv2 client, then you probably need to add an IKEv1 mechanism to the configuration. Do ask (Alex) for help if you cannot be bothered to do this yourself.

For debugging, you may find the log /var/log/daemon.log helpful to tail -F.

vpn.1490085814.txt.gz · Last modified: 2017/03/21 08:43 by alex