- \n
- CentOS 7 Server<\/li>\n
- Root privileges<\/li>\n<\/ul>\n
What we will do?<\/h2>\n
- \n
- Install Strongswan on CentOS 7<\/li>\n
- Generate SSL Letsencrypt<\/li>\n
- Configure Strongswan<\/li>\n
- Enable NAT Firewall<\/li>\n
- Enable Port-Forwarding<\/li>\n
- Testing<\/li>\n<\/ol>\n
Step 1 – Install Strongswan on CentOS 7<\/h2>\n
In this first step, we will install the strongswan IPsec implement software and all packages needed from the EPEL repository.<\/p>\n
Install the EPEL repository and install the strongswan package using yum commands below.<\/p>\n
yum -y install epel-release
yum -y install strongswan<\/p>\nWait for the strongswan package to be installed.<\/p>\n
![\"Install](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7.png\" "\\"\\"")
<\/a><\/p>\nStep 2 – Generate SSL Certificate with Let’s encrypt<\/h2>\n
We will create the IKEv2 VPN server using a domain name ‘ikev2.hakase-labs.io’ and use certificates generated from letsencrypt.<\/p>\n
In this step, we will install the letsencrypt tool ‘certbot’ and generate certificates for the server domain name ‘ikev2.hakase-labs.io’.<\/p>\n
Install ‘certbot’ letsencrypt tool.<\/p>\n
yum -y install certbot<\/p>\n
After the certbot installation, we need to open the HTTP and HTTPS port of the server using firewall-cmd.<\/p>\n
Add the HTTP and HTTPS services to the firewalld service list by running firewall-cmd commands below.<\/p>\n
firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=https –permanent
firewall-cmd –reload<\/p>\n![\"Generate](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-1.png\" "\\"\\"")
<\/a><\/p>\nNow we can generate new SSL certificate files using the letsencrypt tool certbot.<\/p>\n
Run the certbot command below.<\/p>\n
certbot certonly –rsa-key-size 4096 –standalone –agree-tos –no-eff-email –email [email\u00a0protected]<\/a> -d ikev2.hakase-labs.io<\/p>\n
Letsencrypt certificates for the vpn domain name ‘ikev2.hakase-labs.io’ has been generated, and are located at the ‘\/etc\/letsencrypt\/live’ directory.<\/p>\n
![\"SSL](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-2.png\" "\\"\\"")
<\/a><\/p>\nNext, we need to copy the certificate files ‘fullchain.pem’, ‘privkey.pem’, and the ‘chain.pem’ to the ‘\/etc\/strongswan\/ipsec.d\/’ directory.<\/p>\n
cp \/etc\/letsencrypt\/live\/ikev2.hakase-labs.io\/fullchain.pem \/etc\/strongswan\/ipsec.d\/certs\/
cp \/etc\/letsencrypt\/live\/ikev2.hakase-labs.io\/privkey.pem \/etc\/strongswan\/ipsec.d\/private\/
cp \/etc\/letsencrypt\/live\/ikev2.hakase-labs.io\/chain.pem \/etc\/strongswan\/ipsec.d\/cacerts\/<\/p>\nAll letsencrypt certificates for the Strongswan VPN named ‘ikev2.hakase-labs.io’ have been generated and copied to the ‘\/etc\/strongswan\/ipsec.d’ directory.<\/p>\n
tree \/etc\/strongswan\/ipsec.d\/<\/p>\n
![\"SSL](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-3.png\" "\\"\\"")
<\/a><\/p>\nStep 3 – Configure Strongswan<\/h2>\n
Go to the ‘\/etc\/strongswan’ directory and backup the default ‘ipsec.conf ‘configuration file.<\/p>\n
cd \/etc\/strongswan\/
mv ipsec.conf ipsec.conf.asli<\/p>\nCreate a new one ‘ipsec.conf’ using vim<\/a>\u00a0editor.<\/p>\n
vim ipsec.conf<\/p>\n
And paste the following configuration.<\/p>\n
#global configuration IPsec \n#chron logger \nconfig setup charondebug=\"ike 1, knl 1, cfg 0\" uniqueids=no \n \n#define new ipsec connection \nconn hakase-vpn auto=add compress=no type=tunnel keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any [email\u00a0protected]<\/a> leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0\/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.15.1.0\/24 rightdns=1.1.1.1,8.8.8.8 rightsendcert=never eap_identity=%identity<\/pre>\n
Save and exit.<\/p>\n
Configuration details:<\/p>\n
- \n
- Create a new IPSec VPN tunnel connection named ‘hakase-vpn’.<\/li>\n
- Specify the IKEv2 and ESP cipher suites for authentication.<\/li>\n
- The ‘left’ server configuration using a domain name ‘ikev2.hakase-labs.io’ and using the letsencrypt certificate ‘fullchain.pem’ located at the ‘\/etc\/strongswan\/ipsec.d\/certs’ directory.<\/li>\n
- The ‘right’ clients\/remote setup with the EAP authentication method ‘eap-mschapv2’, assign the virtual IP address range ‘10.15.1.0\/24’ to all connected clients, and using public DNS Cloudflare and google.<\/li>\n<\/ul>\n
Next, we need to edit the ‘ipsec.secrets’ file to define the RSA server private key and EAP user password credentials.<\/p>\n
Edit the ‘ipsec.secrets’ file.<\/p>\n
vim ipsec.secrets<\/p>\n
Paste the configuration below.<\/p>\n
: RSA \"privkey.pem\" \nhakase : EAP \"[email\u00a0protected]<\/a>\" \ntensai : EAP \"[email\u00a0protected]<\/a>\"<\/pre>\n
Save and exit.<\/p>\n
Configuration details:<\/p>\n
- \n
- Specify the RSA server private key using the letsencrypt certificate ‘privkey.pem’ located at the ‘\/etc\/strongswan\/ipsec.d\/private’ directory.<\/li>\n
- Define the EAP user credentials with format ‘user : EAP “password”‘.<\/li>\n<\/ul>\n
![\"Strongswan](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-4.png\" "\\"\\"")
<\/a><\/p>\nThe strongswan IPSec configuration has been completed. Start the strongswan service and enable\u00a0it to launch everytime at system boot.<\/p>\n
systemctl start strongswan
systemctl enable strongswan<\/p>\nStep 4 – Enable NAT in Firewalld<\/h2>\n
In this step, we will enable the NAT masquerading and add the IPSec protocols Authentication Header (AH) and Encapsulating Security Payload (ESP) on Firewalld using the ‘rich-rule’ configuration.<\/p>\n
Add ‘AH’ and ‘ESP’ for authentication and encryption protocols to the firewalld.<\/p>\n
firewall-cmd –zone=public –permanent –add-rich-rule=’rule protocol value=”esp” accept’
firewall-cmd –zone=public –permanent –add-rich-rule=’rule protocol value=”ah” accept’<\/p>\nAdd the ipsec UDP ports and service.<\/p>\n
firewall-cmd –zone=public –permanent –add-port=500\/udp
firewall-cmd –zone=public –permanent –add-port=4500\/udp
firewall-cmd –zone=public –permanent –add-service=”ipsec”<\/p>\nNow enable the NAT mode masquerade and reload the firewalld configuration rules.<\/p>\n
firewall-cmd –zone=public –permanent –add-masquerade
firewall-cmd –reload<\/p>\n![\"Firewalld](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-5.png\" "\\"\\"")
<\/a><\/p>\nThe NAT mode on firewalld has been enabled, check using the command below.<\/p>\n
firewall-cmd –list-all<\/p>\n
Following is\u00a0the result.<\/p>\n
![\"Firewall](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-6.png\" "\\"\\"")
<\/a><\/p>\nStep 5 – Enable Port-Forwarding<\/h2>\n
To enable port-forwarding, we need to edit the ‘sysctl.conf’ file.<\/p>\n
Edit the ‘\/etc\/sysctl.conf’ file using vim editor.<\/p>\n
vim \/etc\/sysctl.conf<\/p>\n
Paste the following configuration there.<\/p>\n
net.ipv4.ip_forward = 1 \nnet.ipv4.conf.all.accept_redirects = 0 \nnet.ipv4.conf.all.send_redirects = 0 \n<\/pre>\n
Save and exit, now reload using the sysctl command below.<\/p>\n
sysctl -p<\/p>\n
Port-forwarding has been enabled. Now restart the strongswan service.<\/p>\n
systemctl restart strongswan<\/p>\n
![\"Configure](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-7.png\" "\\"\\"")
<\/a><\/p>\nStep 6 – Testing Strongswan IPSec VPN<\/h2>\n
In this case, we will do the test on the MacOS X and android phone.<\/p>\n
On MacOS<\/h3>\n
– Open the ‘System Preferences’ and click the ‘Network’ menu.<\/p>\n
Click the ‘+’ button to create a new VPN connection.<\/p>\n
- \n
- Interface: ‘VPN’<\/li>\n
- VPN Type: ‘IKEv2’<\/li>\n
- Service Name: ‘IKEv2-vpn<\/li>\n<\/ul>\n<\/ul>\n
![\"Configure](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-8.png\" "\\"\\"")
<\/a><\/p>\n– On the ‘Server Address’ and ‘Remote ID’, type the VPN domain name ‘ikev2.hakase-labs.io’.
– Click ‘Authentication Settings’.
– Authentication using a ‘Username’.
– Type the username ‘tensai’ with password ‘[email\u00a0protected]<\/a>‘
– Click ‘OK’ and click ‘Apply’.<\/p>\n![\"MacOS](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-9.png\" "\\"\\"")
<\/a><\/p>\nNew IKEv2 VPN connection has been created on the client. Now click the connect button.<\/p>\n
![\"New](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-10.png\" "\\"\\"")
<\/a><\/p>\nAnd the client has been connected to the strongswan VPN server and has an internal\/private IP address 10.15.1.1.<\/p>\n
On Android<\/h3>\n
– Download and install the native strongswan android application from Google-Play.
– Add new VPN profile
– Type the server domain name ‘ikev2.hakase-labs.io’ and use the IKEv2 EAP Username and Password authentication.<\/p>\nFollowing\u00a0is the result when we connect to the VPN server.<\/p>\n
![\"Configure](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-11.png\" "\\"\\"")
<\/a><\/p>\nThe IKEv2 IPSec-based VPN server has been created using Strongswan and Letsencrypt on CentOS 7 server.<\/p>\n
Reference<\/h2>\n
\nShare this page:<\/b><\/p>\n
\n
![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-12.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-13.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-14.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-setup-ikev2-vpn-using-strongswan-and-lets-encrypt-on-centos-7-15.png\" "\\"\\"")
<\/a>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Strongswan is an open source multiplatform IPSec implementation. It’s an IPSec-based VPN solution that focuses on strong authentication mechanisms. Strongswan offers support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or pre shared keys, and secure IKEv2 EAP user authentication. In this tutorial, I will show you\u00a0how to install an …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-6103","post","type-post","status-publish","format-standard","hentry","category-36"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=6103"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6103\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=6103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=6103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=6103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- \n
![\"Install](\"https:\/\/www.howtoforge.com\/images\/how_to_setup_ikev2_vpn_using_strongswan_and_letsencrypt_on_centos_7\/big\/1.png\" "\\"\\"")
<\/a><\/p>\n