Setting Up Strongswan VPN in Ubuntu

Create CA

echo "deb http://ftp.debian.org/debian wheezy-backports main" > /etc/apt/sources.list.d/wheezy-backports.list
apt-get -t wheezy-backports install strongswan libcharon-extra-plugins
ipsec version
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=ID, O=example, CN=example Root CA" --outform pem > cacerts/strongswanCert.pem
ipsec pki --print --in cacerts/strongswanCert.pem

Create VPN Host Certificate

ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=ID, O=example, CN=example, CN=vpn.example.com" --san vpn.example.com --flag serverAuth --flag ikeIntermediate --outform pem > certs/vpnHostCert.pem
ipsec pki --print --in certs/vpnHostCert.pem

Create Client Certificate

ipsec pki --gen --type rsa --size 2048 --outform pem > private/admin@example.com.pem
ipsec pki --pub --in private/admin\@example.com.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=ID, O=gilaya, CN=admin@example.com" --san admin@example.com --outform pem > certs/admin@example.com.pem
openssl pkcs12 -export -inkey private/admin\@example.com.pem -in certs/admin\@example.com.pem -name "example VPN Certificate" -certfile cacerts/strongswanCert.pem -caname "gilaya Root CA" -out admin@example.com.p12

Setting Up Conf

vim /etc/ipsec.conf
vim /etc/ipsec.secrets
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source 128.199.227.133
iptables -A INPUT -p udp --dport 500 --j ACCEPT
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -j ACCEPT