Configuration help - conversion from charon-cmd to ipsec.conf

[jdpayne1969]

Hi,
I have a successful VPN setup on a VPS. I can connect my macOS and iOS devices successfully. I can also connect with another linux device with the charon-cmd. My issue is that the charon-cmd prompts for the password and I cannot script this to start on boot. I'm sure I should be able to do this with the normal strongswan systemctl and ipsec.conf file. The problem is I have not for the life of me got the correct ipsec.conf file. I need to map the following charon-cmd to an ipsec.conf file:

charon-cmd --host my_server_public_ip --identity vpn_id --cert /etc/ipsec.d/cacerts/server-root-ca.pem --profile ikev2-eap --esp-proposal aes256-sha2_256

Another solution would be how to pass the password to the charon-cmd via script so my connection can start on boot.

Any help would be great. I know this should be easy, but I'm struggling.

Thanks in advance,
Jeff

[Thermi]

just specify the password as EAP type secret with your eap_id (seems to be same as vpn_id) and the password as the secret value.

[jdpayne1969]

Thank you for taking the time to reply. Are you referring to something on the charon-cmd line or in ipsec.conf?

I got further with ipsec.conf (below). Connection is established with a tunnel IP address, but the routes don't seem to be added like charon-cmd did.

conn strongvpn
keyexchange=ike
dpdaction=clear
dpddelay=300s
eap_identity=vpn_id
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=my_server_public_ip
rightauth=pubkey
rightsubnet=0.0.0.0/0
type=tunnel
#strongvpn
auto=add

Thank you,
Jeff

[Thermi]

The secret goes into ipsec.secrets.
Please use "```" for providing your config, so the indentations are kept (I believe it helps with that).

EDIT: Regarding the "missing" routes, please create a debug log (#196) and provide it.