diff --git a/secrets/passwords-and-certificates.nix b/secrets/passwords-and-certificates.nix
index 51e8171..6575e9f 100644
Binary files a/secrets/passwords-and-certificates.nix and b/secrets/passwords-and-certificates.nix differ
diff --git a/system-modules/hsmw.nix b/system-modules/hsmw.nix
index a61ae5e..66ee729 100644
--- a/system-modules/hsmw.nix
+++ b/system-modules/hsmw.nix
@@ -7,22 +7,78 @@
   
   environment.etc = {
 
-    # easyroam HSMW
+    # Easyroam 
     "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
     "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
     "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
-    
-
-    # VPN
     "NetworkManager/system-connections/eduroam.nmconnection" = {
       text = secrets.easyroamHSMW.nmconfig; 
       mode = "0600";
     };
 
+    # VPN
+    # "strongswan.conf".text = ''
+    #   charon {
+    #     load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown openssl resolve
+    #   }
+    # '';
 
+    "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
   };
 
-
+  services.strongswan = {
+    enable = true;
+    setup = {
+      cachecrls = "yes";
+      strictcrlpolicy = "yes";
+    };
+    connections = {
+      hsmw = {
+          keyexchange = "ikev2";
+          left = "%defaultroute";
+          leftid = "%any";
+          leftauth = "eap";
+          eap_identity = secrets.email.hsmw.mail;
+          leftsourceip = "%config";
+          leftdns = "%config4";
+          leftfirewall = "no";
+          right = "141.55.128.84";
+          rightid = "@vpn4.hs-mittweida.de";
+          rightsubnet = "0.0.0.0/0";
+          rightauth = "pubkey";
+          auto = "add";
+      };
+    };
+    managePlugins = true;
+    enabledPlugins = [ 
+      "curl"
+      "aes"
+      "des"
+      "sha1"
+      "sha2"
+      "md5"
+      "pem"
+      "pkcs1"
+      "gmp"
+      "random"
+      "nonce"
+      "x509"
+      "revocation"
+      "hmac"
+      "xcbc"
+      "stroke"
+      "kernel-netlink"
+      "socket-default"
+      "fips-prf"
+      "eap-mschapv2"
+      "eap-identity"
+      "updown"
+      "openssl"
+      "resolve"
+    ];
+    secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
+    # ca = {
+      # ??? # https://mynixos.com/nixpkgs/option/services.strongswan.ca
+    # }
+  };
 }
-
-