# Please install StrongSwan version >= 5.7.0
# Assuming your physical network device is eth0

sed -i 's/# install_routes = yes/install_routes = no/' /etc/strongswan.d/charon.conf
sed -i 's/# install_virtual_ip = yes/install_virtual_ip = no/' /etc/strongswan.d/charon.conf
cat <<EOF > /etc/swanctl/conf.d/<name>.conf
conn-defaults {
    version = 2
    proposals = aes128gcm16-prfsha512-ecp384
    local_addrs = <local>
    dpd_delay = 10s
    fragmentation = yes
    mobike = no
    rekey_time = 28800s
    unique = keep
}

child-defaults {
    dpd_action = clear
    start_action = none
    esp_proposals = aes128gcm16-ecp384
    mode = transport
    start_action = none
}

connections {
    test : conn-defaults {
        remote_addrs = <remote>
        
        local {
            auth = psk
            id = @@<hostname>
        }
        remote {
            auth = psk
            id = @@<hostname>
        }
        children {
            tunnel : child-defaults {
                local_ts = <vtilocal>
                remote_ts = <vtiremote>
                mode = tunnel
                mark_in = 0x42424242/0xffffffff
                mark_out = 0x42424242/0xffffffff
            }
            transport : child-defaults {
                local_ts = dynamic[gre]
                remote_ts = dynamic[gre]
                mode = transport
            }
        }
    }
}
secrets {
    ike {
        secret = <psk>
        id-1 = @@<hostname>
        id-2 = @@<hostname>
    }
}
EOF

# Omit this interface on one end
ip tun add ipsec0 local <local> remote <remote> mode vti key 0x42424242 dev eth0
ip addr add <vtilocal>/31 dev ipsec0
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 mtu 1446
ip link set ipsec0 up

ip tun add goips0 local <local> remote <remote> mode gre dev eth0
ip addr add <grelocal>/31 dev goips0
ip link set goips0 mtu 1400
ip link set goips0 up

swanctl -q
swanctl -i -i test -c transport

# Then do whatever you need on tunnel