My directions for importing certificates into Windows 10 can be found at https://github.com/gitbls/pistrong/blob/master/CertInstall.md I've never tested them with Windows 10 Home, so I'd be interested in knowing if they work there.

As an aside, I started using strongSwan following the directions on the zeitgest site you mentioned, and found them to be usable but not easily repeatable, so I built pistrong that codifies my learnings in a script that makes it all easily repeatable. You can find it at https://github.com/gitbls/pistrong

Good luck, and do let me know if my directions work with Windows 10 Home.

From: Users <users-***@lists.strongswan.org> on behalf of Sebastian Pfohl <***@outlook.com>
Sent: Friday, October 5, 2018 12:59 PM
To: ***@lists.strongswan.org
Subject: [strongSwan] Config doesnt work on Windows 10 and Android
 
I would like to connect to the VPN server with the native Windows 10 Client, but i cant connect. I have followed a tutorial at https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ but the connection isnt succesfully. I struggle to import the certificates, because the option to import a machine certificate is greyed out in Windows 10 Home. However, i can select manually a user certificate. I dont know if that is ok. I couldnt find any information about Windows 10 Home Edition. Is there any better instruction available, how to make a connection from Windows 10 home to a Strongswan VPN? Here is my current config:

config setup
        charondebug="ike 2, knl 1, cfg 2, dmn 2, net 2"
       
conn %default
        keyexchange=ikev2
        ike=aes256-sha1-modp1024,aes256-sha384-ecp384!
        esp=aes256-sha1,aes256-sha384-ecp384!
        dpdaction=clear
        dpddelay=300s
        rekey=no
       
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        right=%any
        rightdns=8.8.8.8,8.8.4.4
        rightsourceip=%dhcp

conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add

conn IPSec-IKEv2-EAP
        also="IPSec-IKEv2"
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any

Additionally, i use a Samsung Galaxy 7. There i can create a VPN connection with "IPSec IKEv2 RSA" with the build-in Client. I cant connect from here to. The connection is refused. I tought the above configuration should work the VPN type in Samsung Galaxy. Can someone please help to make a proper config please?

Many thx for that URL. At least on a another PC, i could now import the Cert as a machine certificate and much more important, the connection was now successfully! That's so great! I have 2 new problems now. First, for testing, i used "rightdns=8.8.8.8,8.8.4.4" to send the client the DNS server information and with "rightsourceip=%dhcp" i get an IP-address from my DHCP server. Now i have changed rightdns to a local DNS server, reconnected and i have still the old ones from Google as DNS. However the IP-address was changed to a new one. Why does the DNS not changed and how can i do this? If i start the server again with the new config, i can see, that only the new, local DNS is in the config. But it isn't in effect at the Windows 10 client.

The second problem is, that i have a connection to the VPN, but for internet access the Wifi connection is used. There should be a option, where i should set the VPN to the one and only connection which s available for internet traffic. But im sure, i can find at least this myself.

But the above DNS thing makes nervous. If the DNS thing is solved, i try to connect my Android phone.

I think, i have found the setting for the DNS server or at least a way to change them. There was a file /etc/strongswan.d/user.conf with the following content:

charon {
# DNS server assigned to peer via configuration payload (CP).
dns1 = 8.8.8.8
dns2 = 8.8.4.4

# Number of worker threads in charon.
threads = 8

# Name of the user the daemon changes to after startup.
user = strongswan
}

It seems like that this setting overrides the DNS servers in ipsec.conf. I thought, it was the other way.

Android was a little bit strange. I added the certificate to the Keystore and could select "IPSec IKEv2 RSA" in the build VPN from the Galaxy S7. I selected then the imported certificate in both, the user-certificate and as ca-certificate, saved the profile and connected. This failed. So i opened the profile again, changed nothing, closed it with "cancel" and connected again. Now the connection was established successfully. I don't no why the first try failed. But now it seems to be, that i could use the config on both, Android and Windows 10.

I have found another problem on Windows 10. My Ethernet Adapter and the Wifi Adapter have both the DNS from my carrier and i didn't want to change that. When i look at https://www.dnsleaktest.com/, i can see that there is the DNS from the carrier. When i now connect to the VPN and re-check again, i see my DNS (which forwards to OpenDNS) and additionally the carrier DNS. This surprises me a lot. I thought that VPN is the only connection, which sends and receives query's other the Internet. Specially, since i set the checkbox for the VPN Adapter as "Standard-Gateway. Do you have any ideas?