Creating an IKEv2 VPN with Strongswan

We previously showed you how easy it is to set up an IKEv2 VPN using https://safewoo.com. But if you're feeling adventurous and want to learn how to build one from scratch, we've got you covered! Let's dive into setting up an IKEv2 VPN using Strongswan. We'll walk you through every step, from configuring the server to setting up clients on Windows, macOS, iOS, and Android. By the end of this tutorial, you'll be a VPN-building pro!

Our goal is to build an IKEv2 VPN server that's easy to use. It will support username and password authentication and work seamlessly with the built-in VPN clients on iOS, macOS, and Windows, as well as the Strongswan client on Android. Since this tutorial focuses on user-friendly setups, we won't cover Linux configurations.

Note: This guide involves some technical terms about networks, encryption, and operating systems. If you're new to these topics, you might find it a bit challenging. For a simpler option, consider using a pre-configured VPN like Safewoo https://safewoo.com.

Introduction to Strongswan

Strongswan is an open-source IPsec implementation that supports both IKEv1 and IKEv2 protocols. It's one of the most popular VPN solutions for Linux systems. You can find more information on their official website.

Strongswan supports various authentication methods like RSA, PSK, and EAP, and offers flexible configuration options. Here are some of its key features:

  • IKE Negotiation: Establishes secure connections and exchanges keys.
  • IPsec Packet Encryption: Encrypts and authenticates data to ensure confidentiality, integrity, and authenticity.
  • NAT Traversal: Supports VPN connections in NAT environments.
  • EAP Authentication: Supports various EAP methods, Allows username and password authentication.

In short, Strongswan is a powerful and versatile tool for setting up secure VPN connections.

Required Resources

  • A Debian 12/Ubuntu 22.04 server
    • With a public IPv4 address (NAT forwarding is okay)
    • An account with sudo privileges
  • A domain name for configuring the certificate

Why do you need a domain name? To enhance the security of the VPN connection, the IKEv2 protocol typically uses digital certificates for authentication. If you use a self-signed certificate, the client needs to manually import and trust the certificate, which can be a bit complicated for regular users. By using an SSL certificate issued for a domain name, you can leverage trusted CA institutions (like Let's Encrypt) to issue the certificate. Client operating systems usually trust these CAs by default, saving you from the hassle of manual certificate configuration.

Server Configuration

Applying for an SSL Certificate

We recommend using the acme.sh tool to apply for a Let's Encrypt certificate. Acme.sh is an open-source shell script that supports automated application and renewal of Let's Encrypt certificates. For detailed usage, please refer to the official documentation.

If you don't have a domain name or can't apply for an SSL certificate, Safewoo https://safewoo.com offers a one-click solution to create an IKEv2 VPN, providing certificates and domain resolution. It also automatically renews the certificates, so you don't have to worry about them expiring.

Installing Dependencies

sudo apt update
sudo apt install -yqq charon-systemd strongswan-swanctl strongswan-pki \
    libcharon-extra-plugins libstrongswan-extra-plugins \
    openssl curl
sudo apt install -yqq iptables-persistent
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y iptables-persistent

Configuring System Parameters

  1. Configure sysctl
sudo bash -c 'cat > /etc/sysctl.d/99-strongswan.conf << EOF
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.send_redirects=0
EOF'
sudo sysctl --system
  1. Configure iptables forwarding

Large cloud service providers (like AWS, GCP, Azure) don't directly bind public IP addresses to network interfaces. Smaller VPS providers might directly bind public IP addresses to network interfaces.

If your server doesn't have a public IP address directly bound, you'll need to configure NAT forwarding so that your VPN server can forward traffic to the public internet.

NETWORK_V4=192.168.78.0/24  # VPN subnet
NIF=$(ip -o -4 route show to default | awk '{print $5}') # Get the default network interface
# ipv4 rules
iptables -t nat -A POSTROUTING -s $NETWORK_V4 -o $NIF -m policy --dir out --pol ipsec -j ACCEPT # Allow IPsec traffic
iptables -t nat -A POSTROUTING -s $NETWORK_V4 -o $NIF -j MASQUERADE # NAT address translation, allow VPN to forward traffic to the public internet

Installing and Configuring Strongswan

  • Assuming your domain name is vpn.example.com.
  • You already have an SSL certificate vpn.example.com.crt, a certificate private key vpn.example.com.key, and a CA certificate ca.crt.

Copy these certificates to the following paths:

  • /etc/swanctl/x509ca/ca.crt
  • /etc/swanctl/x509/vpn.example.com.crt
  • /etc/swanctl/private/vpn.example.com.key

Edit the configuration file:

sudo bash -c "cat > /etc/swanctl/conf.d/safewoo-eap.conf << EOF
connections {
    conn_safewoo_eap {
        pools = pool_safewoo_eap_v4
        reauth_time = 0
        send_certreq = yes 
        send_cert = always
        version = 2
        proposals = aes128-aes256-sha256-modp1024-modp2048-curve25519-ecp256
        local {
            auth = pubkey
            certs = ca.crt # CA certificate
            id = vpn.example.com # Same as the certificate name above
        }

        remote {
            auth = eap-mschapv2
        }

        children {
            dt {
                local_ts = 0.0.0.0/0
            }
        }
    }
}

pools {
    pool_safewoo_eap_v4 {
        addrs = 192.168.78.0/24
        dns = 1.1.1.1, 8.8.8.8
    }
}

secrets {
    eap-safewoo {
        id = safewoo  # Account name, change this to your desired username
        secret = "password" # Password, change this to your desired password
    }
}
EOF"

Load the configuration and certificates:

sudo swanctl --load-all

The configuration should take effect immediately.

Client Configuration

We've successfully set up an IKEv2 VPN using EAP-MSCHAPv2 authentication, which allows you to connect to the VPN by simply entering a username and password. Most mainstream devices support this method. In the configuration file, we specified the username/password as safewoo/password.

Please replace these with more secure credentials.

For detailed connection methods on different systems, please refer to our previous blog post: Enjoy your VPN

Table of Contents