How to Setup IKEv2 VPN Server with StrongSwan on CentOS 8
Strongswan is an IPSec implementation that's open source and works, across multiple platforms. It serves as a VPN solution based on IPSec with an emphasis on robust authentication mechanisms. Strongswan provides support for both IKEv1 and IKEv2 exchange protocols allowing authentication, via certificates or pre shared keys. Additionally it ensures user authentication through IKEv2 EAP.
Installing IKEv2 on CentOS 8 Linux server is easy, here we will guide you how to setup and configure IKEv2 VPN server on CentOS.
For this installation, you'll require:
- CentOS 8 Server - Get your CentOS VPS now, if you don't already have one.
- Server Root Privileges.
Step 1 – Install StrongSwan on CentOS 8 Server
In the first step, we have to install the strongswan IPSec software and all packages needed from the EPEL repository.
Install the EPEL repository and install the strongswan package using the commands below.Wait until the Strongswan package to be installed.
Step 2 – Generate a SSL Certificate using Let's Encrypt Certification Authority
After the StrongSwan installation, we're going to create the IKEv2 VPN server using a domain name 'vpn.euro-space.net' and use certificates generated by letsencrypt.
First, we will install the Let's Encrypt tool 'certbot' manually and generate certificates for the server domain name 'vpn.euro-space.net'.
Download the certbot binary file from GitHub using the wget command below.
Next, make that file an executable by changing the permissions:
The certbot tool has been installed and ready to generate Let's Encrypt certificates.
Before generating the certificates, we need to open the HTTP and HTTPS ports of the server using firewall-cmd.
Add the HTTP and HTTPS services to the firewalld service list by running firewall-cmd commands below.
Let's start with the SSL certificate generation by using the certbot-auto tool.
Change the email address and the domain name with your own and run the 'certbot-auto' command below:
Once generation completed, you will get "fullchain.pem" and "privkey.pem" files. Please note that all certificates of your domain name are generated and stored into the '/etc/letsencrypt/live/domain.com' directory.
Next, we need to copy the certificate files 'fullchain.pem', 'privkey.pem', and the 'chain.pem' to the '/etc/strongswan/ipsec.d/' directory.
We can check that all Let's Encrypt certificates for the Strongswan VPN named 'vpn.euro-space.net' have been generated and copied to the '/etc/strongswan/ipsec.d' directory:
Step 3 – How to configure StrongSwan
Navigate to the '/etc/strongswan' folder and backup the default 'ipsec.conf 'configuration file:
Create a new file 'ipsec.conf' using the vim (or other favourite) editor:
Then paste the following configuration commands:
uniqueids=never # allow multiple connections per user
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
Save file and exit.
After that, we need to edit the 'ipsec.secrets' file to define the RSA server private key and EAP user password credentials.
Open and edit the 'ipsec.secrets' file:
Copy here and paste the following configuration below:
: RSA "privkey.pem"
hakase : EAP "hakase321@"
tensai : EAP "tensai321@"
Save the file and exit.
Now, the Strongswan IPSec setup and configuration have been completed. Add the strongswan service to the startup time and then start the service:
The Strongswan service is up and running on your CentOS 8 server, check it using the following command:
Step 4 – Enable NAT in Firewalld
Now, we're going to enable the NAT masquerading and add the IPSec protocols Authentication Header (AH) and Encapsulating Security Payload (ESP) on Firewalld using the 'rich-rule' configuration.
Add 'AH' and 'ESP' for authentication and encryption protocols to the firewalld:
Add the ipsec UDP ports and service:
Then enable the NAT mode masquerade and reload the firewalld configuration rules:
Once the NAT mode on firewalld has been enabled, you can check it using the command below:
Step 5 – Enable Port Forwarding
To enable port-forwarding, we need to edit the 'sysctl.conf' file.
Open the '/etc/sysctl.conf' file using vim (or other) editor and edit it:
Then copy and paste the following configuration there:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Save the file and exit, then reload using the sysctl command:
Port-forwarding has been enabled. Now we have to restart the strongswan service:
Step 6 – Test the StrongSwan IPSec VPN
We'll perform tests on the MacOS X and Android phone.
On MacOS X
- Open the 'System Preferences' and click the 'Network' menu.
Click the '+' button to create a new VPN connection.
- Interface: 'VPN'
- VPN Type: 'IKEv2'
- Service Name: 'IKEv2-vpn
- On the 'Server Address' and 'Remote ID', type the VPN domain name 'ikev2.euro-space.net'.
- Click 'Authentication Settings'.
- Authentication using a 'Username'.
- Type the username 'tensai' with password 'tensai321@'
- Click 'OK' and click 'Apply'.
The new IKEv2 VPN connection has been created for the client. Next, click the connect button:
You'll see the VPN client is now connected to the Strongswan VPN server and has an internal/private IP address 10.15.1.1.
On the Android Device
- Download and install the native Strongswan Android application from Google Play.
- Add new VPN profile
- Type the server domain name 'ikev2.euro-space.net and use the IKEv2 EAP Username and Password authentication.
When we connect to the VPN server, it will look like the image below:
Now we have created the IKEv2 IPSec based VPN server using Strongswan and Let's Encrypt on Linux CentOS 8 server.
Published on: 30-08-2023