Introduction
Internet Key Exchange v2, or IKEv2, is a protocol that allows for direct IPSec tunnelling between the server and client. In IKEv2 VPN implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms such as iOS, macOS, Android and Windows 10/11) with no additional applications necessary, and it handles client hiccups quite smoothly.
In this tutorial, you’ll set up an IKEv2 VPN server using StrongSwan on an Ubuntu 22.04 server authenticating over FreeRADIUS.
STEP 1)
Make sure the OS is all up to date.
sudo apt-get update
STEP 2)
Now install the software required using the command below.
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins iptables-persistent
STEP 3)
Create the certificate IKEv2 will use for the connection, first, we install certbot.
sudo apt-get install certbot
STEP 4)
Now, we need to set the key size and the renewal hook. The renewal hook will run when the current certificate expires. The Let’s Encrypt Certs have a maximum of 90 days validity.
mkdir -p /etc/letsencrypt
echo 'rsa-key-size = 4096
pre-hook = /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
post-hook = /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets ' > /etc/letsencrypt/cli.ini
STEP 5)
Generate the certificate to use with the connection. Note: The hostname must resolve to this machine to enable the Let’s Encrypt certificate setup.
certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email [email protected] -d your.domain.com
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/cert.pem /etc/ipsec.d/certs/cert.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -f -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/chain.pem /etc/ipsec.d/cacerts/chain.pem
echo "/etc/letsencrypt/archive/YOUR.DOMAIN.COM/* r, " >> /etc/apparmor.d/local/usr.lib.ipsec.charon
aa-status --enabled && invoke-rc.d apparmor reload
STEP 6)
You may need to set up your firewall – To do so using iptables, use the rules below.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
iptables -P FORWARD ACCEPT
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
STEP 7)
Enable forwarding.
echo '
# vpnforward
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
' >> /etc/sysctl.conf
And now save those changes.
sysctl -p
STEP 8)
Set up the config for IKEv2 and Strongswan.
echo "YOUR.DOIMAN.COM : RSA \"privkey.pem\"
" > /etc/ipsec.secrets
echo "config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
[email protected]
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius # this uses radius authentication
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
" > /etc/ipsec.conf
STEP 9)
Open the file strongswan.conf and replace all with the below contents, making sure you add your RADIUS server IP address and secret to the file.
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
eap-radius {
accounting = yes
servers {
server-a {
address = YOUR_RADIUS_SERVER_IP
secret = RADIUS_SECRET!
auth_port = 1812 # default
acct_port = 1813 # default
}
}
}
}
include strongswan.d/*.conf
}
STEP 10)
Now, start the Strongswan service.
ipsec restart
Your IKEv2 VPN server is now ready to connect to – for setup guides to connect over various platforms, We will update this guide with those shortly.