Hello,
unfortunately a ike2 roadwarrior configuration cannot be created with the cli at the moment, because some strongswan parameters are not configurable.
you get a working config with:
set vpn ipsec include-ipsec-conf 'path/to/ipsec.conf'
set vpn ipsec include-ipsec-secrets 'path/to/ipsec.secrets'
to run. unfortunately you have to restart ipsec by hand if you change something in the files.
in the below example there is a working Apple iOS example. The CA is a Microsoft Pki, the iOS Devices get User Certificates with a CN that must match *@001.domain.tld and get the ipsec conf via iOS Profile.
ipsec.conf:
ca CACert cacert=/config/auth/ipsec/ca.cer crluri=/config/auth/ipsec/ca.pem auto=add conn ikev2-cert-template leftcert=server.crt leftid="server.domain.tld" auto=add keyexchange=ikev2 left=%any [email protected] leftsendcert=always leftsubnet=0.0.0.0/0 leftauth=pubkey right=%any rightauth=eap-tls rightdns=10.166.253.11 rightca="DC=tld DC=domain, CN=pki" eap_identity=%identity esp=aes256-sha256,aes256-sha1,3des-sha1! auto=ignore conn ikev2-vpn-10.215.1.0 also=ikev2-cert-template rightid="*@001.domain.tld" rightsourceip=10.215.1.0/24 auto=start conn ikev2-vpn-10.215.2.0 also=ikev2-cert-template rightid="*@002.domain.tld" rightsourceip=10.215.2.0/24 auto=start
ipsec.secrets:
: RSA /config/auth/ipsec/server.key
in some other phabricator Task @dmbaturin mention a write of the ipsec config script. Maybe this can be done in the same task