strongswan ipsec xauth howto


I want to setup a ipsec tunnel from my desktop pc to one of my root servers to change my official ip address. I’m using ubuntu 14.04 on server and client.

on the root server you need following:
1) firewall with nat enabled
change tcp mss (might not be neccessary)
2) ip forwarding enabled
3) configure strongswan on your root server
4) configure strongswan on your client (ubuntu and android 4.4)

1) firewall:

#accept ipsec
iptables -A INPUT -p UDP --dport 500 -j ACCEPT
iptables -A INPUT -p UDP --dport 4500 -j ACCEPT
#activate nat
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
#change tcp mss to avoid mtu problems with https websites
iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

2) ip forwarding:

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4

3) config of my strongswan server:

aptitude install strongswan strongswan-plugin-xauth-generic

vim /etc/ipsec.conf
conn yourconnectionname
vim /etc/ipsec.secrets
ipofyourserver %any : PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now enable ip-forwarding and restart strongswan:

echo 1 > /proc/sys/net/ipv4/ip_forward
service strongswan restart

4) config of my desktop pc:

vim /etc/ipsec.conf
conn yourconnectionname
vim /etc/ipsec.secrets
: PSK "yourpassword"
yourusername : XAUTH "yourxauthpassword"

now restart strongswan on your desktop pc:

service strongswan restart

and start the vpn tunnel manually via:

ipsec up yourconnectionname

You are also able to use your android phone to connect via ipsec-xauth-psk:
Just go to: Settings -> Wireless & Networks -> More -> VPN -> +

Name: yourconnectionname
Type: IPSec Xauth PSK
Serveraddress: yourservername or ip address
IPSec-Key: yourpassword (PSK)

Afterwords you have to open the new VPN connection where you get asked about the user password credentials.

Hint: On CM12 with my Samsung Galaxy S4 mini. The phone reboots with ipsec xauth. Seems to be a bug. L2TP IPSec works perfect with CM12 and Samsung Galaxy S4 mini.

Hint2: On Archlinux suddenly rightsubnet= stopped to work as client. (No outbound ipsec traffic) I’ve simply added a route to my netctl config. Routes=(‘IpOfVpnGateway via YourDefaultGateway table 220’)
Seems the vpn gateway is getting tunnled also.

Have fun!

htc one m8 upgrade firmware via fastboot for CM12

Hi there

I was running Cyanogenmod since I’ve got my m8. Cause of this the firmware never got updated via OTA. When I tried to update my m8 to CM12 custom recovery told me that I’ve got wrong bootloader version to upgrade.

Here is a simple walkthrough to ugprade the firmware without flashing stock firmware and without flashing stock recovery.My device has S-ON and CID is 401.

First of all. Read Read Read. Learn how your device works. I did not know before also :-).
You don’t have to flash stock rom and do OTA updates to get your firmware updated as described in the links below. You can do it another way via fastboot. Might be riskful but I’ve not found any working stock rom + stock recovery to get the upgrade done. I was also too lazy to find out the dependency firmware version + stock recovery version… So theese links are only for understanding. You have to know what is your CID and what means S-ON. You may brick your device if something is wrong. You’ve been warned.

Download the newest firmware from

Get in fastboot mode and lock the bootloader via:

fastboot oem lock

Now reboot your device to RUU mode and flash firmware via (this may birck your device, be carefully):

fastboot oem rebootRUU
fastboot flash zip

At first try (fastboot flash zip did not work out correctly. Try again (don’t reboot) then it should success.

When hopefully everything was correct your device has stock recovery installed and in hboot it shows relocked. You can now unlock your phone normally as you did first time via

After bootloader unlock flash custom recovery and enjoy Android L CM12 on your m8.

Have fun, and dont brick your device!