Ipsec PSK with XAuth authentication

The usage of this method with aggressive mode (ipsecIdentifier not empty) is discouraged: see the StrongSwan Documents

This article describes a configuration of a roadwarrior scenario, where a d-200 phone connects to a COMmander 6000 via a strongswan VPN Server.

The strongswan configuration is based on the following document. In our example, the d-200 is located in the 192.168.1.0/24 subnet. The pbx is located in the 192.168.21.0/24 subnet. The Strongswan server uses the ip 192.168.1.239

ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
 
# basic configuration
 
config setup
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
 
conn rw
        left=192.168.1.239
        leftid=@192.168.1.239
        leftsubnet=192.168.21.0/24
        leftauth=psk
        leftfirewall=yes
        right=%any
        rightauth=psk
        rightauth2=xauth
        rightsourceip=192.168.1.0/24
        auto=add
        ike="aes256-sha384-modp1024"
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
 
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
192.168.1.239 %any : PSK "superSecretPreSharedKey"
 
theUserName  : XAUTH "secretXauthPassword" 

Troubleshooting: be sure that the server has ip forward enabled. If a NAT is used, the Phone will require a STUN Server to correctly setup a RTP Connection.

configurationXauthPSK.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <network>
    <vpn>
        <active>true</active>
        <vpnType>IpsecXauthPSK</vpnType>
        <name>VPN name</name>
        <server>192.168.21.100</server>
        <username>theUserName</username>
        <password>secretXauthPassword</password>
        <routes>192.168.21.0/24</routes>
        <dnsServers>192.168.21.44</dnsServers>
        <searchDomains></searchDomains>
        <!-- ipsecIdentifier has to be empty - aggressive mode is used when filled. (certain servers e.g. strongswan won't allow aggressive mode clients. ) -->
        <ipsecIdentifier></ipsecIdentifier>
        <ipsecSecret>superSecretPreSharedKey</ipsecSecret>
    </vpn>
  </network>
    <identities>
      <identity>
        <active>true</active>
        <displayname>COMmander 6000</displayname> 
        <username>70</username>
        <host>192.168.1.239</host>
        <password>AccountPassword</password>
        <frameSize>20</frameSize>
        <audiocodecs>
          <audiocodec>G.722</audiocodec>
          <audiocodec>G.711</audiocodec>
        </audiocodecs>
        <clir>displayAnonymous</clir>
        <localmoh>false</localmoh>
        <secureConnection>false</secureConnection>
        <srtp>disabled</srtp>
        <ipVersion>IpV4</ipVersion>
        <checkHostname>true</checkHostname>
        <pickupCode>##06</pickupCode>
        <interfaceType>vpn</interfaceType>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
     <identity>
       <active>false</active>
     </identity>
   </identities>
</configuration>

The identity specifies the networkType vpn and the registration is performed after the tunnel has been connected.