certidude/certidude/templates/strongswan-client-to-site.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

# left/local = client
# right/remote = gateway

config setup

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	dpdaction={{dpdaction}}
	closeaction=restart

conn client-to-site
	auto={{auto}}
	left=%defaultroute # Use IP of default route for listening
	leftsourceip=%config # Accept server suggested virtual IP as inner address for tunnel
	leftcert={{certificate_path}} # Client certificate
	leftid={{common_name}} # Client certificate identifier
	leftfirewall=yes # Local machine may be behind NAT
	right={{remote}} # Gateway IP address
	rightid=%any # Allow any common name
	rightsubnet=0.0.0.0/0 # Accept all subnets suggested by server