How to Setup IKEv2 VPN Server on Ubuntu 20.04 Tutorial (Step by Step)
How to Setup IKEv2 VPN Server on Ubuntu 20.04. Using Virtual Private Network (VPN) server allows you to encrypt traffic between your client devices (laptop, cell phone, or tablet) and a VPN server. It provides another layer of security and privacy to your online activities. This tutorial outlines the steps for setting up a IKEv2 VPN server using StrongSwan on Ubuntu 20.04 server instance.
What is IKEv2
The most commonly used protocol today is called Internet Key Exchange (IKE). IKEv2 also known as “Internet Key Exchange version 2” is a VPN encryption protocol developed by Microsoft together with Cisco. It secures the traffic by establishing and handling the SA (Security Association) attribute within IPSec. It creates a secure tunnel between the VPN client and VPN server by authenticating both the client and the server by choosing which encryption method will be used.
IKEv2 features
The IKEv2 VPN protocol has become more and more popular over the past years due to its security and fast VPN connections.
- The IKEv2 has a lot of features such as Stability, support for multiple devices, auto-reconnect, strong encryption, speed and more.
- Fast connection establishment with NAT traversal.
- Most stable with MOBIKE (Mobility and Multi-homing Protocol).
- One of the fastest VPN protocols. It is faster than L2TP (Layer Two Tunneling Protocol) and PPTP(Point to point tunneling protocol).
- High security with high end cyphers( AES and Camellia).
- Offers a strong and stable connection, allowing users to stay on the VPN connection when moving between networks.
strongSwan VPN
strongSwan it is an open source IPsec VPN solution for Linux and UNIX based operating systems that implement the IKEv1 and IKEv2 key exchange protocols. It is one of the most popular VPN software firstly designed for Linux, but now it can be installed on Android, FreeBSD, Mac OS X, and Windows operating systems.
Follow this post below and we will show you how to set up an IKEv2 VPN server using strongSwan on Ubuntu 20.04 server.
Setup IKEv2 VPN Server on Ubuntu 20.04
Prerequisites
In our guide about how to Setup IKEv2 VPN Server on Ubuntu 20.04, before installing strongSwan, we will need to update the system packages to the updated version. Run the following command to update all the packages:
apt-get update -y
apt-get upgrade -y
Once your system is updated, edit the /etc/sysctl.conf file and enable the packet forwarding:
nano /etc/sysctl.conf
Add the following lines:
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Save and close the file then run the following command to apply the configuration:
sysctl -f
Once you are finished, you can proceed to the next step.
Install strongSwan VPN
First, you will need to install strongSwan and public key infrastructure (PKI) components to your server. By default, all the packages are included in the Ubuntu 20.04 default repository. You can install them by running the following command:
apt-get install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd-dev
Once all the packages are installed, you can proceed to create a VPN certificate.
Create a Certificate Authority (CA) and Certificate
You will need to create a certificate for the IKEv2 server to identify it to clients. The strongswan-pki provides a PKI utility that helps you to create a CA and certificates.
First, create required directories to save the CA and certificates.
mkdir -p /root/pki/{cacerts,certs,private}
Following step is to generate a root key to sign the root certificate authority with the following command:
pki --gen --type rsa --size 4096 --outform pem > /root/pki/private/ca-key.pem
Then use the above key and create a root certificate authority using the following command:
pki --self --ca --lifetime 3650 --in /root/pki/private/ca-key.pem --type rsa --dn "CN=VPN root CA" --outform pem > /root/pki/cacerts/ca-cert.pem
In this step we need to create a certificate and key for the VPN server. This certificate will be used to verify the server’s authenticity using the CA certificate.
Firstly we create a private key using the following command:
pki --gen --type rsa --size 4096 --outform pem > /root/pki/private/server-key.pem
Next is to create and sign the VPN server certificate using the CA that you have created earlier:
pki --pub --in /root/pki/private/server-key.pem --type rsa | pki --issue --lifetime 1825 --cacert /root/pki/cacerts/ca-cert.pem --cakey /root/pki/private/ca-key.pem --dn "CN=45.58.41.152" --san 45.58.41.152 --flag serverAuth --flag ikeIntermediate --outform pem > /root/pki/certs/server-cert.pem
Following step is to copy all the certificates to the /etc/ipsec.d directory:
cp -r /root/pki/* /etc/ipsec.d/
At this point, you have all certificates and CA required by strongSwan to secure communications between the client and the server. You can now proceed to configure the strongSwan VPN server.
Configure strongSwan VPN
Next part of the tutorial of how to Setup IKEv2 VPN Server on Ubuntu 20.04 is the default config. Before starting, it is recommended to rename the default configuration file and create a new configuration file. To rename the strongSwan default configuration file, run the following command:
mv /etc/ipsec.conf /etc/ipsec.conf.bak
Next is to create a new configuration file using the following command:
nano /etc/ipsec.conf
We will add the following configurations:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=45.58.41.152
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
Click on save and close the file when you are finished.
A brief explanation of each option is shown below:
- left=%any – The %any means the server will use any network interface to receive incoming connections.
- leftid=45.58.41.152 – Specify the IP address of the VPN server.
- leftcert=server-cert.pem – Specify the name of the public certificate.
- leftsendcert=always – The always means that any remote clients will receive a copy of the server’s public certificate.
- leftsubnet=0.0.0.0/0 – It specifies the entire set of IPv4 addresses
- rightauth=eap-mschapv2 – Define the authentication method used by the client to authenticate the server.
- rightsourceip=10.10.10.0/24 – This will tell the server to assign private IP to clients from the 10.10.10.0/24 network.
- rightdns=8.8.8.8,8.8.4.4 – It specifies Google’s DNS IP address.
Next we will configure the authentication for strongSwan VPN. To do so, edit the ipsec.secrets file and define the name of the private key file and define the user that allowed to connect to the VPN server.
nano /etc/ipsec.secrets
Please add the following lines:
: RSA "server-key.pem"
vpnusername : EAP "securepassword"
Save and close the file and then restart the strongSwan service with the following command:
systemctl restart strongswan-starter
You can check the status of the strongSwan VPN service for any configuration error using the following command:
systemctl status strongswan-starter
You will get the following output:
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-01 08:50:14 UTC; 14s ago
Main PID: 2498 (starter)
Tasks: 18 (limit: 2353)
Memory: 4.6M
CGroup: /system.slice/strongswan-starter.service
├─2498 /usr/lib/ipsec/starter --daemon charon --nofork
└─2511 /usr/lib/ipsec/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 --debug-dmn 2 --debug-mgr 2
Dec 01 08:50:14 server charon[2511]: 05[CFG] esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpddelay=300
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpdtimeout=150
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpdaction=1
Dec 01 08:50:14 server charon[2511]: 05[CFG] sha256_96=no
Dec 01 08:50:14 server charon[2511]: 05[CFG] mediation=no
Dec 01 08:50:14 server charon[2511]: 05[CFG] keyexchange=ikev2
Dec 01 08:50:14 server charon[2511]: 05[CFG] adding virtual IP address pool 10.10.10.0/24
Dec 01 08:50:14 server charon[2511]: 05[CFG] loaded certificate "CN=45.58.41.152" from 'server-cert.pem'
Dec 01 08:50:14 server charon[2511]: 05[CFG] added configuration 'ikev2-vpn'
At this point, strongSwan VPN server is installed and configured You can now proceed to install and configure the strongSwan VPN client.
Install and Configure strongSwan VPN Client
In this part of how to Setup IKEv2 VPN Server on Ubuntu 20.04 is to install the strongSwan client package and connect it to the strongSwan VPN server.
Firstly please log in to the client machine and install the strongSwan client package using the following command:
apt-get install strongswan libcharon-extra-plugins -y
Once the package is installed you will need to copy the CA certificate file from the server machine to the client machine.
You can copy it by running the following command:
scp root@45.58.41.152:/etc/ipsec.d/cacerts/ca-cert.pem /etc/ipsec.d/cacerts
Next is to edit the ipsec.secrets file and provide your username and password which you have defined on the server machine.
nano /etc/ipsec.secrets
Add the following line:
vpnusername : EAP "securepassword"
Save and close the file then edit the strongSwan configuration file with the following command:
nano /etc/ipsec.conf
Next step is to add the following lines:
conn ipsec-ikev2-vpn-client
auto=start
right=45.58.41.152
rightid=45.58.41.152
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=vpnusername
leftauth=eap-mschapv2
eap_identity=%identity
Save and close the file when you are finished.
Note: Replace 45.58.41.152 with the IP address of the VPN server and vpnusername with the username that you have specified in the ipsec.secrets file.
Finally please restart the strongSwan service to apply the configuration changes.
systemctl restart strongswan-starter
Next step is to run the following command to check the IP address assigned by the VPN server.
ip a
You should see that the IP address 10.10.10.1 is assigned to the VPN client:
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:00:2d:3a:29:85 brd ff:ff:ff:ff:ff:ff
inet 45.58.41.133/24 brd 45.58.41.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.10.1/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::200:2dff:fe3a:2985/64 scope link
valid_lft forever preferred_lft forever
The status of the client/server connection can be checked with the following command:
ipsec statusall
You will get the following output:
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-29-generic, x86_64):
uptime: 5 minutes, since Dec 01 08:51:20 2021
malloc: sbrk 1757184, mmap 0, used 794944, free 962240
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
45.58.41.133
Connections:
ipsec-ikev2-vpn-client: %any...45.58.41.152 IKEv1/2
ipsec-ikev2-vpn-client: local: [vpnsecure] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ipsec-ikev2-vpn-client: remote: [45.58.41.152] uses public key authentication
ipsec-ikev2-vpn-client: child: dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 5 minutes ago, 45.58.41.133[vpnsecure]...45.58.41.152[45.58.41.152]
ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: 519d02ad8fb07704_i* ad369b3b96f6a569_r, EAP reauthentication in 2 hours
ipsec-ikev2-vpn-client[1]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3e4613c_i cf022d31_o
ipsec-ikev2-vpn-client{1}: AES_CBC_256/HMAC_SHA2_256_128, 20052 bytes_i (276 pkts, 0s ago), 28132 bytes_o (223 pkts, 9s ago), rekeying in 37 minutes
ipsec-ikev2-vpn-client{1}: 10.10.10.1/32 === 0.0.0.0/0
How to Setup IKEv2 VPN Server on Ubuntu 20.04 Conclusion
IKEv2, like any other VPN protocol, is responsible for creating a secure tunnel between the user and the VPN server. At first user authentication happens between the user and the server. Then it is to choose the encryption method.
Congratulations! you have successfully set up an IKEv2 VPN server using strongSwan. You can now access your server securely from remote devices and hide your identity.
