Install packages
<code bash>
apt install strongswan strongswan-pki libcharon-extra-plugins netfilter-persistent iptables-persistent
</code>

Generate CA and certificates
<code bash>
ipsec pki --gen --type ecdsa --outform pem > vpn_ca_key.pem
ipsec pki --self --in vpn_ca_key.pem --type ecdsa --dn "C=US, O=Testig Ltd., CN=Root CA" --ca --lifetime 3650 --outform pem > vpn_ca_cert.pem
ipsec pki --gen --type ecdsa --outform pem > vpn_server_key.pem
ipsec pki --pub --in vpn_server_key.pem --type ecdsa > vpn_server_pub_key.pem
ipsec pki --issue --in vpn_server_pub_key.pem --lifetime 3650 --cacert vpn_ca_cert.pem --cakey vpn_ca_key.pem --dn "CN=FQDN" --san="FQDN" --flag serverAuth --flag ikeIntermediate --outform pem > vpn_server_cert.pem
</code>

Move certs
<code bash>
mv vpn_ca_cert.pem /etc/ipsec.d/cacerts/
mv vpn_server_cert.pem /etc/ipsec.d/certs/
mv vpn_server_key.pem /etc/ipsec.d/private/
</code>

Change ipsec conf
<code bash>
# cat /etc/ipsec.conf 

config setup
        strictcrlpolicy=no
        uniqueids=no

conn ipsec-ikev2-vpn
        ike=aes256gcm16-aes192gcm16-chacha20poly1305-prfsha512-prfsha256-ecp521-ecp256,aes256-sha512-sha256-prfsha512-prfsha256-modp3072-modp2048-modp1024-ecp521!
        esp=aes256gcm16-aes192gcm16-chacha20poly1305-ecp521-ecp256-modp3072-modp2048,aes256-sha512-sha256-modp3072-modp2048!
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=@FQDN
        leftcert=vpn_server_cert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightauth=eap-mschapv2
        rightsourceip=172.16.15.2/24
        rightdns=1.1.1.1,8.8.8.8
        rightsendcert=always
        eap_identity=%identity
</code>

Change ipsec secrets conf
<code bash>
# cat /etc/ipsec.secrets
: ECDSA vpn_server_key.pem
USER1 : EAP "PASSWORD1"
USER2 : EAP "PASSWORD2"
...
</code>

Add changes to sysctl
<code bash>
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
</code>

Iptables rules
<code bash>
iptables -t nat -A POSTROUTING -s 172.16.15.0/24 ! -d 172.16.15.0/24 -j SNAT --to-source SERVER_IP
iptables -t mangle -A FORWARD -s 172.16.15.0/24 -o SERVER_MAIN_ETH -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
</code>

Clients must connect to FQDN with vpn_ca_cert.pem and credentials.