How to setup an IKEv2 VPN server with StrongSwan on Ubuntu 20.04

How to setup an IKEv2 VPN server with StrongSwan on Ubuntu 20.04

👨‍💻

An earlier version of this tutorial was written by Justin Ellingwood and Namo

an introduction

A virtual private network, or VPN, allows you to securely encrypt traffic as it travels over untrusted networks, such as those at a coffee shop, conference, or airport.

Internet Key Exchange v2, or IKEv2, is a protocol that allows direct IPSec tunneling between server and client. In IKEv2 VPN applications, IPSec provides encryption for network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, Windows 10) without the need for additional apps, and it handles client issues very smoothly.

In this tutorial, you will setup an IKEv2 VPN server using StrongSwan on an Ubuntu 20.04 server. You will then learn how to connect to it with Windows, macOS, Ubuntu, iOS and Android clients.

Basic requirements

To complete this tutorial, you will need:

Step 1 – Install StrongSwan

First, we will install StrongSwan, an open source IPSec daemon which we will configure as our VPN server. We will also install the Public Key Infrastructure (PKI) component so that we can create a Certificate Authority (CA) to provide credentials to our infrastructure.

Start by updating the local package cache:

Then install the program by typing:

• sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

The libcharon-extauth-plugins package is used to ensure that different clients can authenticate to your server with a common username and passphrase. The libstrongswan-extra-plugins package is included so that Strongswan supports elliptic curve cipher suites that use the Curve25519 cipher suite.

Now that everything is installed, let’s move on to creating our certificates.

Step 2 – Create a Certificate Authority

The IKEv2 server requires a certificate to identify itself to clients. To help create the required certificate, the strongswan-pki package comes with a utility called pki for creating a CA and server certificates.

To get started, let’s create some directories to store all the assets we’ll be working on. The directory structure matches some of the folders in /etc/ipsec.d , where we will eventually move all the items we create:

• mkdir -p ~/pki/cacerts, certs, private

Then close the permissions so that other users can’t see our private files:

Now that we have a directory structure to store everything, we can create a root key. This will be the 4096-bit RSA key that will be used to sign our root certificate authority.

Run these commands to generate the key:

• pki – gen – type rsa – size 4096 –outform pem> ~ / pki / private / ca-key.pem

Then we can move on to creating our root certificate authority, using the key we just created to sign the root certificate:

• pki – self –ca – for life 3650 –in ~ / pki / private / ca-key.pem
• –type rsa –dn “CN = VPN root CA” –outform pem> ~/pki/cacerts/ca-cert.pem

The –lifetime 3650 flag is used to ensure that a CA’s root certificate will be valid for 10 years. An entity’s root certificate typically doesn’t change, as it must be redistributed to every server and client that depends on it, so 10 years is a safe default expiration value.

you can change special name (DN) to something else if you wish. The common name (CN field) here is just a pointer, so it doesn’t have to match anything in your infrastructure.

Now that we have our root certificate authority turned on, we can create a certificate that the VPN server will use.

Step 3 – Create a certificate for the VPN server

We will now generate a certificate and key for the VPN server. This certificate will allow the client to verify the authenticity of the server using the CA certificate we just created.

First, create a private key for the VPN server with the following command:

• pki –gen – type rsa – size 4096 –outform pem> ~ / pki / private / server-key.pem

Now, create and sign the VPN server certificate using the CA key you created in the previous step. Execute the following command, but change the Common Name (CN) and Subject Alternative Name (SAN) field to the DNS name of your VPN server or your IP address:

• pki –pub –in ~ / pki / private / server-key.pem – type rsa
• | pki – version – for life 1825
• –cacert ~ / pki / cacerts / ca-cert.pem
• –cakey ~/pki/private/ca-key.pem
• –dn “CN = server_domain_or_IP” – san server_domain_or_IP
• – Server Flag
• > ~/pki/certs/server-cert.pem

Noticeable: If you are using an IP address instead of a DNS name, you will need to specify multiple SAN entries. The line in the previous command block where you specify the distinguished name (–dn …) will need to be modified with additional input such as the following snippet line:

–dn “CN = IP address” –sanIP_address –san IP_address

The reason for this additional entry –sanIP_address is that some clients will check if the TLS certificate contains a DNS entry and enter the server’s IP address when verifying its identity.

The –flag serverAuth option is used to indicate that the certificate will be used explicitly to authenticate the server, before the encrypted tunnel is created. The –flag ikeIntermediate option is used to support older macOS clients.

Now that we’ve created all the TLS/SSL files that StrongSwan needs, we can move the files to where they are in the /etc/ipsec.d directory by typing:

• sudo cp -r ~ / pki / * /etc/ipsec.d/

In this step, we have created a pair of certificates that will be used to secure the communications between the client and server. We also signed the certificates with a CA key, so the client will be able to validate the VPN server using the CA certificate. With all these certificates ready, we will proceed to the configuration of the program.

Step 4 – Configure StrongSwan

StrongSwan has a default configuration file with some examples, but we’ll have to do most of the configuration ourselves. Let’s backup the file for reference before starting from scratch:

• sudo mv /etc/ipsec.conf,.original

Create and open a new empty configuration file using your favorite text editor. Here, we’ll use nano:

• sudo nano /etc/ipsec.conf

Noticeable: As you work through this section to configure the server portion of your VPN, you will encounter settings that say the left And right aspects of communication. When working with IPSec VPNs, the the left Side by side refers to the local system you are configuring, in this case the server. The right-hand side directives in these settings will point to remote clients, such as phones and other computers.

When going to Client Configuration later in this tutorial, Client Configuration files will refer to themselves using various files the left directives, and the server will be indicated with right side terms.

First, we’ll ask StrongSwan to log daemon states in order to debug and allow redundant connections. Add these lines to the file:

/etc/ipsec.conf

config setup charondebug = “ike 1, knl 1, cfg 0” uniqueids = no

Next, we will create a configuration section for our VPN. We will also ask StrongSwan to create IKEv2 VPN tunnels and automatically load this configuration section when it starts up. Append the following lines to the file:

/etc/ipsec.conf

. . . conn ikev2-vpn auto = add compression = no type = tunnel keyexchange = hash ikev2 = yes forceencaps = yes

We will also configure dead-peer detection to clear any “hanging” connections if the client disconnects unexpectedly. Add these lines:

/etc/ipsec.conf

. . . con ikev2-vpn. . . dpdaction = clear dpddelay = reset key 300 seconds = no

Next, we will configure the IPSec parameters for the “left” side of the server. Each of the following parameters ensures that the server is configured to accept connections from clients and to correctly identify itself. You’ll add each of these settings to your /etc/ipsec.conf file once you know what they are and why they are used:

• left = % i.e. % Any value that guarantees that the server will use the network interface where it receives incoming connections for subsequent communication with clients. For example, if you are connecting a client over a private network, the server will use the private IP address as it receives the traffic for the rest of the connection.
• leftid = @server_domain_or_IP This option controls the name the server gives to clients. When combined with the next leftcert option, the left option ensures that the configured name of the server and the distinguished name (DN) in the public certificate match.
• leftcert = server-cert.pem This option is the path to the server’s public certificate that you configured in step 3. Without it, the server will not be able to authenticate itself with clients, or finish negotiating the IKEv2 setup.
• leftsendcert = always The value always guarantees that any client that connects to the server will always receive a copy of the server’s public certificate as part of the initial connection setup.
• leftsubnet = 0.0.0.0 / 0 The last “left” side option you’ll add tells clients which subnets are accessible behind the server. In this case, 0.0.0.0/0 is used to represent the full set of IPv4 addresses, which means that the server will tell clients to send all their traffic through the VPN by default.

Now that you are familiar with each of the relevant “left” side options, add them all to the file like this:

/etc/ipsec.conf

. . . con ikev2-vpn. . . left =% any leftid = @server_domain_or_IP leftcert = server-cert.pem leftsendcert = always leftsubnet = 0.0.0.0 / 0

Noticeable: When configuring the server ID (left), only include the @ character if your VPN server will be identified by the domain name:

/etc/ipsec.conf

. . . leftid=@vpn.example.com. . .

If the server will be identified by its IP address, just enter the IP address in:

/etc/ipsec.conf

. . . leftid = your_server_ip. . .

Next, we can configure the IPSec parameters of the “right” side of the client. Each of the following parameters tells the server how to accept connections from clients, how clients should authenticate to the server, and what ranges of private IP addresses and DNS servers the clients will use. Add each of these settings to your /etc/ipsec.conf file once you know what they are and why they are used:

• right = %any %any option for the right side of the connection instructs the server to accept incoming connections from any remote client.
• rightid = % any This option ensures that the server will not reject connections from clients that provide an identity before the encrypted tunnel is created.
• rightauth = eap-mschapv2 This option configures the authentication method that clients will use to authenticate to the server. eap-mschapv2 is used here for broad compatibility to support clients such as Windows, macOS, and Android devices.
• rightsourceip = 10.10.10.0 / 24 This option instructs the server to assign private IP addresses to clients from the specified 10.10.10.0/24 set of IP addresses.
• rightdns = 8.8.8.8,8.8.4.4 These IP addresses are Google’s public DNS resolvers. They can be changed to use other public resolvers, VPN server resolvers, or any other resolver that clients have access to.
• rightsendcert = Never This option instructs the server that clients do not need to send a certificate to authenticate themselves.

Now that you are familiar with the “correct” side options required for a VPN, add the following lines to /etc/ipsec.conf:

/etc/ipsec.conf

. . . con ikev2-vpn. . . true =% any right

Now we’ll tell StrongSwan to ask the client…

[ad_1]
Don’t forget to share this post with friends !