Wireguard coming? It is a good technology, both much faster and easier to configure. I’ve spent 10 days without any help from Ivacy support to get IPSec + IKEv2 up and running on dedicated IP.
To get it working, set mss to 1350, and mtu to 1400 in charon.conf
(or /etc/strongswan.d/charon/kernel-netlink.conf). Difference in packet sizes caused only parts of the VPN to work. Using Kernel 6.0.7 (arch) and strongswan-ipsec 5.9.8. Sharing config as I’ve spent way too much time on this! Wishing this info was available on support.ivacy.com
ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug=“debug”
conn ivacy
keyexchange = ikev2
dpdaction=hold
closeaction=hold
dpddelay=300s
leftauth=eap-mschapv2
eap_identity=“your-username”
left=%defaultroute
leftsourceip=%config
right=your-ivacy-server.dns2use.com
rightid=%*.dns2use.com
rightca=/etc/ipsec.d/cacerts/USERTrustRSACertificationAuthority.crt
rightsubnet=0.0.0.0/0
type=tunnel
auto=add
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha256,aes256-sha1,3des-sha1!
Download cert from USERTrust RSA Certification Authority - Root certificate