Strongswan is a multi-source open source IPSec implementation. It is an IPSec-based VPN solution that focuses on strong authentication mechanisms. Strongswan provides support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or distributed keys, and secure IKEv2 EAP user authentication.
In this tutorial, I will show you how to install an IPSec VPN server using Strongswan. We will create an IKEv2 VPN server with "EAP-MSCHAPv2" authentication and use Letsencrypt certificates on CentOS 8. server.
- CentOS 8 Server
- Root Privileges
What we will do?
- Install Strongswan on CentOS 8
- Generate SSL Letsencrypt
- Configure Strongswan
- Enable NAT Firewall
- Enable Port-Forwarding
– Install Strongswan on CentOS 8 [194555InthefirststepwewillinstallStrongswanIPsecimplementationsoftwareandallpackagesneededfromtheEPELlayer
Before installing the strongswan package, you must add the EPEL layer to the CentOS 8 system.
Add EPEL repository for CentOS 8 server.
sudo dnf install epel release
Then install the Strongswan package from the EPEL repository with the dnf command below.
sudo dnf install strongswan
Wait for Strongswan package to be in
Step 2 – Generate SSL Certificate with Let's Encrypt
For this guide we will create the IKEv2 VPN server with a domain name & # 39; vpn.hakase-labs. io & # 39; and use certificates generated from letsencrypt.
In this step, we will install the letsencrypt tool & # 39; certbot & # 39; manually and generate certificates for the server's domain name & # 39; vpn.hakase-labs.io & # 39 ;.
Download certbot binary file from GitHub using the wget command below.
wget https://dl.eff.org/certbot-auto -O / usr / local / bin / certbot-auto
After that, you make it executable by changing the state of the file.
chmod + x / usr / local / bin / certbot-auto
And the certbot tool for generating Letsencrypt certificates has been installed.
Before we generate the Letsencrypt certificates, we must open the server's HTTP and HTTPS ports with firewall cd.
Add the HTTP and HTTPS services to the firewall services list by running firewall cmd commands below.
firewall-cmd --add-service = http --permanent
firewall-cmd --add-service = https --permanent
firewall-cmd - load
Now we can create new SSL- certificate files using the lets encrypt tool certbot-auto.
Change your email address and domain name with your own and run the & # 39; certbot-auto & # 39; below.
certbot-auto certonly --rsa-key-size 2048 - standalone --agree-tos --no-eff- email - email [email protected] -d vpn.hakase-labs.io
When done you will get the result as below.
All certificates of your domain name are generated to the & # 39; /etc/letsencrypt/live/domain.com' directory.
Then we need to copy the certificate files & # 39; fullchain.pem & # 39 ;, & # 39; privkey.pem & # 39; and & # 39; the chain .pem & # 39; to & # 39; / etc / s trongswan / ipsec.d / & # 39; directory.
cp /etc/letsencrypt/live/vpn.hakase-labs.io/fullchain.pem /etc/strongswan/ipsec.d/certs/ Chapter19459017 Edincp / etc / letsencrypt /live/vpn.hakase-labs.io/ privkey.pem /etc/strongswan/ipsec.d/private/strong19459017vardcp /etc/letsencrypt/live/vpn.hakase-labs.io/chain.pem / etc / strongswan / ipsec.d / cacerts /
All easy encryption certificates for Strongswan VPN named & # 39; vpn.hakase-labs.io & # 39; has been generated and copied to the & # 39; /etc/strongswan/ipsec.d' directory.
tree /etc/strongswan/ipsec.d/strong19659018 Premiere1919909038Certificate for Strongswan "width =" 750 "height =" 318 "style =" display: block; margin-left: car; margin-right: auto; "/>
Step 3 - Configure Strongswan
Go to the & # 39; / etc / strongswan & # 39; directory and back up the default & # 39; ipsec.conf & # 39; configuration file .
cd / etc / strongswan /
etc. ipsec.conf ipsec.conf.asli
Create a new "ipsec.conf" with vim editor.
And paste following configuration.
uniqueids = never # allow multiple connections per us
charondebug = "ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
fragmentation = yes
closeaction = restart
rekey = no
dpdaction = clear
keyexchange = ikev2
compress = yes
dpddelay = 35s
lifetime = 3 hours
ikelifetime = 12h
ike = aes256gcm16-prfsha512-ec!
esp = aes256gcm16-ecp384!
left =% any
leftcert = fullchain.pem
lefts endcert = always
leftsubnet = 0.0.0.0 / 0
right =% any
rightid =% any
rightauth = eap-mschapv2
rightsourceip = 10.15.1.0 / 24
rightdns = 126.96.36.199,188.8.131.52
rightsendcert = never
eap_identity =% identity
19659053] conn ikev2-pubkey
auto = add
Save and exit.
Next, we need to edit the & # 39; ipsec.secrets & # 39; to define the RSA server's private key and EAP user password.
Edit file & # 39; ipsec.secrets & # 39;
Paste the configuration below.
: RSA "privkey.pem"
hakase: EAP "[email protected]"
tensai: EAP "[email protected]"
Save and exit.
And the strong IPSec configuration has been completed. Add the Strongswan service in the start time for startup and then start the service.
systemctl enable strongswan
systemctl start strongswan
Strongswan service is running on CentOS 8 server, check it with the following command.
systemctl status strongswan
And you will see the result as below.
Step 4 - Activate NAT in Firewalld
In this step we enable NAT masking and add the IPSec protocols Authentication Header (AH) and Encapsulating Security Payload (ESP) on Firewalld using the "rich-rule" configuration.
Add "AH & # 39; and & # 39; ESP & # 39; for firewall authentication and encryption protocols.
firewall-cmd - zone = public --permanent --add-rich-rule = & # 39; rule protocol value = "esp" accept "
firewall cmd - zone = public --permanent --add-rich-rule = & # 39; rule protocol value =" ah "accept
Add ipsec UDP- ports and service.
firewall cmd - zone = public --permanent --add-port = 500 / udp
firewall-cmd --zone = public --permanent --add-port = 4500 / udp
firewall- cmd --zone = public --permanent --add-service = "ipsec"
Now enable the NAT mode masked and reload the firewall configuration rules.  firewall-cmd --zone = public --permanent --add-masquerade
Firewall NAT mode enabled, check with the command below.
firewall cmd - list-all
The following is the result.
Step 5 – Enable port forwarding
To enable port forwarding, we need to edit the file "sysctl.conf".
Edit the file "/etc/sysctl.conf" with the vim editor.
vim /etc/sysctl.conf Chapter19659018.08 Paste the following configuration there.
net.ipv4.ip_forward = 1
net.ipv4.conf .all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Save and exit, reload with command sysctl below.
Port forwarding has been enabled. Restart the Strongswan service.
systemctl restart Strongswan
Step 6 - Test Strongswan IPSec VPN
In this case, we will do the test on MacOS X and Android phone.
- Open "System Settings" and click on the "Network" menu.
Click the "+" button to create a new VPN connection.
- Interface: "VPN"  VPN Type: & # 39; IKEv2 & # 39;
- Service Name: & # 39; IKEv2-vpn
- Write & # 39; The VPN domain name & # 39; ikev2 on & # 39; Server address & # 39; and & # 39; Remote ID & # 39 ;. .hakase-labs.io & # 39;.
- Click "Authentication Settings".
- Authentication with a "username".
- Enter the username "tensai" with password "[email protected]"
- Click "OK" and click "Apply".
New IKEv2 VPN connection has been created on the client. Now click on the connect button.
And the client has been connected to the strong VPN server and has an internal / private IP address 10.15.1.1.  On Android
- Download and install the original strongswan android application from Google-Play.
- Add a new VPN profile
- Enter the server domain name & # 39; ikev2.hakase-labs.io & # 39; and use the IKEv2 EAP User Name and Password Authentication.
The following is the result when we connect to the VPN server.
The IKEv2 IPSec based VPN server has been created using Strongswan and Letsencrypt on CentOS 8 server.