Oct 10, 2018

How to set up VPN user accounts

The VPN users are configured in the /etc/ipsec.secrets file.
vim /etc/ipsec.secrets
Example content:
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA vpnHostKey.der
: PSK 8cv+NkxY9LLZvwj4qCC2o/gGrWDF8d21jL

i88ca: EAP "qCC2o/gGL4qCC2o/gG" 
spiderman: XAUTH "xauth_ikev1_example_password"
In the example above the RSA private key file vpnHostKey.der stored in the /etc/openswan.d/private/ directory is not protected by symmetric encryption (a password).
The PSK for IKEv1 connections is also defined.
The format of the EAP MSCHAPv2 user credentials is:
[<domain>\]<username> : EAP "<plaintext password>" 
Add as many users as you like there. The first line allows all users with a valid certificate to use the VPN, the other lines allow users without a certificate to login with a username and password. The space between the username, the colon (:) and EAP needs to be there.
Certificate are much most secure.
Whenever you edit /etc/ipsec.secrets while strongSwan is running, you must reload the file:
ipsec rereadsecrets