Select Page
This entry has been published on 2016-02-15 and may be out of date.

Last Updated on 2016-02-15.

[:en]First, install Ubuntu. E.g. v14.04 LTS, server edition, as a virtual machine, with static LAN IP.

Run these commands to install StrongSwan:

apt-get update
apt-get install strongswan
apt-get install strongswan-plugin-eap-mschapv2

Firewall settings:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
apt-get install iptables-persistent

After installing iptables-persistent, confirm to save the current rules when finishing the wizard.

Open /etc/sysctl.conf with vi or nano and modify or add these lines:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.arp_accept = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1

Move ipsec.conf and strongswan.conf original files:

sudo mv /etc/ipsec.conf /etc/ipsec.conf.backup
sudo mv /etc/strongswan.conf /etc/strongswan.conf.backup

New content for /etc/ipsec.conf:

config setup

conn %default

 conn rem
    leftauth=psk     #your external ip
    rightsourceip=  #(if behind router check your router ip MUST be different, my router ip is

New content for /etc/strongswan.conf:

charon {
    threads = 16
    dns1 =    #(you can choose yours)
    dns2 =

 pluto {

 libstrongswan {


New content for /etc/ipsec.secrets:

: PSK "FREE_CHOICE1"       #(Gateway Preshared Key)
alice : EAP "FREE_CHOICE2"    #(MSCHAPv2 Username)
bob  : EAP "FREE_CHOICE3"    #(MSCHAPv2 Password)


Configure your firewall / router: Open incoming UDP ports 500 and 4500 to be redirected to your VPN server’s local IP address.

Open your BB10 mobile’s connection settings and create a new VPN profile:

Profile Name (free choice)
Server Address your public IP or domain
Gateway Type Generic IKEv2 VPN Server
Authentication Type EAP-MSCHAPv2
Authentication ID Type E-Mail (can be anything)
MSCHAPv2 EAP Identity (can be anything)
MSCHAPv2 Username alice (username in ipsec.secrets)
MSCHAPv2 Password FREE_CHOICE2 (alice’s password in ipsec.secrets)
Gateway Auth Type PSK
Gateway Auth ID Type IPv4
Gateway Preshared Key (PSK password in ipsec.secrets)

Leave the default values for the other settings.

For testing, make sure you have disabled your local WiFi access.