2.7.7. Road Warrior Access VPN Using Libreswan

Road warriors are traveling users with mobile clients with a dynamically assigned IP address, such as laptops. These are authenticated using certificates.
On the server:
conn roadwarriors
    left=1.2.3.4
    # if access to the LAN is given, enable this
    #leftsubnet=10.10.0.0/16
    leftcert=vpn-server.example.com
    leftid=%fromcert
    right=%any
    # trust our own Certificate Agency
    rightca=%same
    # allow clients to be behind a NAT router
    rightsubnet=vhost:%priv,%no
    authby=rsasig
    # load connection, don't initiate
    auto=add
    # kill vanished roadwarriors
    dpddelay=30
    dpdtimeout=120
    dpdaction=%clear
Where:
left=1.2.3.4
The 1.2.3.4 value specifies the actual IP address or host name of your server.
leftcert=vpn-server.example.com
This option specifies a certificate referring to its friendly name or nickname that has been used to import the certificate. Usually, the name is generated as a part of a PKCS #12 certificate bundle in the form of a .p12 file. See the pkcs12(1) and pk12util(1) man pages for more information.
On the mobile client, the road warrior's device, use a slight variation of the above configuration:
conn roadwarriors
    # pick up our dynamic IP
    left=%defaultroute
    leftcert=myname.example.com
    leftid=%fromcert
    # right can also be a DNS hostname
    right=1.2.3.4
    # if access to the remote LAN is required, enable this
    #rightsubnet=10.10.0.0/16
    # trust our own Certificate Agency
    rightca=%same
    authby=rsasig
    # Initiate connection
    auto=start
Where:
auto=start
This option enables the user to connect to the VPN whenever the ipsec system service is started. Replace it with the auto=add if you want to establish the connection later.