VPN Strongswan

To establish a VPN connection, you need to fulfill the following:

• Confirm the network terms and conditions

• Your password must not be expired

You can check both at your Settings

Contents
• 1 Installation
♦ 1.1 Packetmanagement with Debian Wheezy and Jessie
♦ 1.2 Compile with Linux Mint (18)
• 2 Configuration
♦ 2.1 Preparation
♦ 2.2 strongswan.conf
♦ 2.3 ipsec.conf
♦ 2.4 ipsec.secret
• 3 Open / Close the VPN connection

Installation
Please perform only one of the following installation instructions and pay attention to the remarks at the end of each instruction!

Packetmanagement with Debian Wheezy and Jessie

Wheezy: Add the following source to get the newest Strongswan version: (/etc/apt/sources.list):
deb http://http.debian.net/debian wheezy-backports main

Execute the following commands after this:

apt-get update
apt-get -t wheezy-backports install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plug

Jessie:

Execute the following commands after this:

apt-get update
apt-get install ca-certificates strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins

Additionally, you need to add the following lines to the init script(/etc/init.d/ipsec):
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs

Create links to the following configuration files:

ln -s /etc/strongswan.conf ~/Downloads/strongswan/
ln -s /etc/ipsec.conf ~/Downloads/strongswan/
ln -s /etc/ipsec.secrets ~/Downloads/strongswan/

Compile with Linux Mint (18)

If you want to compile it manually, you need to use the terminal. Open the start menu at the bottom left side, and search for "Terminal" and start it.
Change to the directory of your choice. Here is an example of creating a new directory in "Downloads" and then switching into it.
mkdir ~/Downloads/strongswan
cd ~/Downloads/strongswan/

After you switched into your strongswan directory, download the newest version of strongswan(here 5.5.1) and unzip the archive. Use the following
commands to perform this:
wget https://download.strongswan.org/strongswan.tar.gz
tar -xzvf strongswan.tar.gz

Your directory should now contain two new elements. Check it with the command "ls". You should see something like this:

Change to the directory of your downloaded version. Switch to "root" to execute the commands with highest authority. Download and install the following
packets:
cd strongswan-5.5.1/
sudo su
apt-get install libc-dev-bin libc6-dev libgmp-dev \
libgmpxx4ldbl libcurl3 libcurl4-openssl-dev \
libssl-dev zlib1g-dev

Set important parameters with ".configure ..." . Those will be needed to ensure a correct installation of Strongswan:
./configure --enable-curl --enable-eap-mschapv2 \
--enable-eap-identity --enable-openssl
Compile and install the program finally with:
make
make install
exit

Create links to the following configuration files:

ln -s /usr/local/etc/strongswan.conf ~/Downloads/strongswan/
ln -s /usr/local/etc/ipsec.conf ~/Downloads/strongswan/
ln -s /usr/local/etc/ipsec.secrets ~/Downloads/strongswan/

Please note:

If you do not require the packets to compile Strongswan any longer, you can remove them with:
sudo apt-get remove libc-dev-bin libc6-dev libgmp-dev zlib1g-dev\
libcurl4-openssl-dev libssl-dev

It is possible to deinstall Strongswan anytime, as long as the directory in which Strongswan was downloaded(here Downloads/Strongswan) is not
deleted. Open the Terminal, chance to your Strongswan directory and execute the following command:
make uninstall

This is also needed if you want to upgrade Strongswan to a newer version.

Configuration
After the installation, the following files need to be edited:
~/Downloads/strongswan/strongswan.conf
~/Downloads/strongswan/ipsec.conf
~/Downloads/strongswan/ipsec.secrets

Preparation
If you installed and compiled Strongswan manually, use the following command to create a link to the certificate of the Deutsche Telekom:
ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /usr/local/etc/ipsec.d/cacerts/

If you installed Strongswa with your packet manager, use this command instead:
ln -s /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem /etc/ipsec.d/cacerts/

strongswan.conf
Open strongswan.conf with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/strongswan.conf

This file must only contain the following text:

charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-msc
}

Everything other than this is unnecessary and will sabotage the connection.

ipsec.conf
Open ipsec.conf with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/ipsec.conf

You must add the following text to the file:

conn hsmw-vpn
keyexchange=ikev2
left=%defaultroute
leftid=%any
leftauth=eap
eap_identity=username@hs-mittweida.de
leftsourceip=%config
leftdns=%config4
leftfirewall=no
right=141.55.128.84
rightid=@vpn4.hs-mittweida.de
rightsubnet=0.0.0.0/0
rightauth=pubkey
auto=add

Everything else in this file is needed and should not be deleted.

ipsec.secret
Open ipsec.secret with the editor of your choice(nano is used here).
sudo nano ~/Downloads/strongswan/ipsec.secret

You can add the following to this file:

username@hs-mittweida.de : EAP "K3nnw0rt"

Open / Close the VPN connection

To establish a vpn tunnel, the following command needs to be executed:
ipsec up hsmw-vpn

You can close the vpn tunnel with this command:

ipsec down hsmw-vpn

Reminder: If you installed and compiled strongswan manually, you need to start your ipsec service manually, too. Execute the following command:
ipsec start