How to Setup IKEv2 VPN Server on Ubuntu 20.04. Using Virtual Private Network (VPN) server allows you to encrypt traffic between your client devices (laptop, cell phone, or tablet) and a VPN server. It provides another layer of security and privacy to your online activities. This tutorial outlines the steps for setting up a IKEv2 VPN server using StrongSwan on Ubuntu 20.04 server instance.
What is IKEv2
The most commonly used protocol today is called Internet Key Exchange (IKE). IKEv2 also known as “Internet Key Exchange version 2” is a VPN encryption protocol developed by Microsoft together with Cisco. It secures the traffic by establishing and handling the SA (Security Association) attribute within IPSec. It creates a secure tunnel between the VPN client and VPN server by authenticating both the client and the server by choosing which encryption method will be used.
IKEv2 features
The IKEv2 VPN protocol has become more and more popular over the past years due to its security and fast VPN connections.
The IKEv2 has a lot of features such as Stability, support for multiple devices, auto-reconnect, strong encryption, speed and more.
Fast connection establishment with NAT traversal.
Most stable with MOBIKE (Mobility and Multi-homing Protocol).
One of the fastest VPN protocols. It is faster than L2TP (Layer Two Tunneling Protocol) and PPTP(Point to point tunneling protocol).
High security with high end cyphers( AES and Camellia).
Offers a strong and stable connection, allowing users to stay on the VPN connection when moving between networks.
strongSwan VPN
strongSwan it is an open source IPsec VPN solution for Linux and UNIX based operating systems that implement the IKEv1 and IKEv2 key exchange protocols. It is one of the most popular VPN software firstly designed for Linux, but now it can be installed on Android, FreeBSD, Mac OS X, and Windows operating systems.
Follow this post below and we will show you how to set up an IKEv2 VPN server using strongSwan on Ubuntu 20.04 server.
In our guide about how to Setup IKEv2 VPN Server on Ubuntu 20.04, before installing strongSwan, we will need to update the system packages to the updated version. Run the following command to update all the packages:
apt-get update -y
apt-get upgrade -y
Once your system is updated, edit the /etc/sysctl.conf file and enable the packet forwarding:
First, you will need to install strongSwan and public key infrastructure (PKI) components to your server. By default, all the packages are included in the Ubuntu 20.04 default repository. You can install them by running the following command:
Create a Certificate Authority (CA) and Certificate
You will need to create a certificate for the IKEv2 server to identify it to clients. The strongswan-pki provides a PKI utility that helps you to create a CA and certificates.
First, create required directories to save the CA and certificates.
mkdir -p /root/pki/{cacerts,certs,private}
Following step is to generate a root key to sign the root certificate authority with the following command:
In this step we need to create a certificate and key for the VPN server. This certificate will be used to verify the server’s authenticity using the CA certificate.
Firstly we create a private key using the following command:
Following step is to copy all the certificates to the /etc/ipsec.d directory:
cp -r /root/pki/* /etc/ipsec.d/
At this point, you have all certificates and CA required by strongSwan to secure communications between the client and the server. You can now proceed to configure the strongSwan VPN server.
Next part of the tutorial of how to Setup IKEv2 VPN Server on Ubuntu 20.04 is the default config. Before starting, it is recommended to rename the default configuration file and create a new configuration file. To rename the strongSwan default configuration file, run the following command:
mv /etc/ipsec.conf /etc/ipsec.conf.bak
Next is to create a new configuration file using the following command:
Click on save and close the file when you are finished.
A brief explanation of each option is shown below:
left=%any – The %any means the server will use any network interface to receive incoming connections.
leftid=45.58.41.152 – Specify the IP address of the VPN server.
leftcert=server-cert.pem – Specify the name of the public certificate.
leftsendcert=always – The always means that any remote clients will receive a copy of the server’s public certificate.
leftsubnet=0.0.0.0/0 – It specifies the entire set of IPv4 addresses
rightauth=eap-mschapv2 – Define the authentication method used by the client to authenticate the server.
rightsourceip=10.10.10.0/24 – This will tell the server to assign private IP to clients from the 10.10.10.0/24 network.
rightdns=8.8.8.8,8.8.4.4 – It specifies Google’s DNS IP address.
Next we will configure the authentication for strongSwan VPN. To do so, edit the ipsec.secrets file and define the name of the private key file and define the user that allowed to connect to the VPN server.
Save and close the file and then restart the strongSwan service with the following command:
systemctl restart strongswan-starter
You can check the status of the strongSwan VPN service for any configuration error using the following command:
systemctl status strongswan-starter
You will get the following output:
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-12-01 08:50:14 UTC; 14s ago
Main PID: 2498 (starter)
Tasks: 18 (limit: 2353)
Memory: 4.6M
CGroup: /system.slice/strongswan-starter.service
├─2498 /usr/lib/ipsec/starter --daemon charon --nofork
└─2511 /usr/lib/ipsec/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 --debug-dmn 2 --debug-mgr 2
Dec 01 08:50:14 server charon[2511]: 05[CFG] esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpddelay=300
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpdtimeout=150
Dec 01 08:50:14 server charon[2511]: 05[CFG] dpdaction=1
Dec 01 08:50:14 server charon[2511]: 05[CFG] sha256_96=no
Dec 01 08:50:14 server charon[2511]: 05[CFG] mediation=no
Dec 01 08:50:14 server charon[2511]: 05[CFG] keyexchange=ikev2
Dec 01 08:50:14 server charon[2511]: 05[CFG] adding virtual IP address pool 10.10.10.0/24
Dec 01 08:50:14 server charon[2511]: 05[CFG] loaded certificate "CN=45.58.41.152" from 'server-cert.pem'
Dec 01 08:50:14 server charon[2511]: 05[CFG] added configuration 'ikev2-vpn'
At this point, strongSwan VPN server is installed and configured You can now proceed to install and configure the strongSwan VPN client.
How to Setup IKEv2 VPN Server on Ubuntu 20.04 Conclusion
IKEv2, like any other VPN protocol, is responsible for creating a secure tunnel between the user and the VPN server. At first user authentication happens between the user and the server. Then it is to choose the encryption method.
Congratulations! you have successfully set up an IKEv2 VPN server using strongSwan. You can now access your server securely from remote devices and hide your identity.
I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.