IPsec XAuth VPN server on Raspberry Pi behind a NAT

The goal is to setup a secured tunnel to allow road warriors to securely access our home LAN with Android native client.

1. Software installation

Install strongswan IPsec server :

2. Configuration

2.1 IPSec

Backup the original IpSec configuration file:

And edit it :

As follow :

Change by your Pi address !

2.2 Secrets

Edit the secret files :

As follow :

The IP should match the local IP of your Pi and you need to change the PSK, user(s) and password(s).

Then we can restart the service :

And check the logs :

The end should looks like this :

3. Port forwarding

To be able to reach your VPN server from the outside, you need to forward some ports :
– 500/udp – Internet Key Exchange (IKE)
– 4500/udp – NAT traversal

From now, you should be able to connect to your VPN server.

4. Traffic forwarding

To be able to reach all the machines in our LAN, we need to enable traffic forwarding :

And to keep it after a reboot, edit the following file :

And add the following :

Happy tunneling with native support on Windows, Mac, Android, Ios and Linux 🙂

3 thoughts on “IPsec XAuth VPN server on Raspberry Pi behind a NAT”

    1. # ipsec.conf – strongSwan IPsec configuration file

      # basic configuration

      config setup
      # strictcrlpolicy=yes
      # uniqueids = no

      # Add connections here.

      # Sample VPN connections

      conn yourname

      include /var/lib/strongswan/ipsec.conf.inc

Leave a Reply

Your email address will not be published. Required fields are marked *