How to Setup IKEv2 VPN Server on Ubuntu 20.04 for Free
IKE (Internet Key Exchange) is one of most common VPN protocols used today.We have to note that the first version of IKE was used by IPsec by default. Then in 2005 IKEv2 was created.
With this update, the protocol became more reliable and more resilient to DOS attacks. IKEv2 is an IPsec-based protocol that stands for Internet Key Exchange Version 2. It is a joint product of Cisco and Microsoft and is compatible with multiple platforms. One of the most important aspects of IKEv2 protocol is the ability to reconnect and reestablish a connection. That means if a connection is disrupting, IKEv2 can keep the current connection and continue the work process.
Installing IKEv2 on Ubuntu 20.04 server is easy and in this article, we will guide you to step by step how to configure and setup the IKEv2 VPN server on Ubuntu.
For this setup, you'll need:
- Ubuntu 20.04 Server - Get your Ubuntu VPS now, if you don't already have one.
- Server Root Privileges.
Step 1 – Install StrongSwan on Ubuntu 20.04
StrongSwan is a free IPSec resource daemon that must be configured as a VPN server. Then you need to install the public key infrastructure component. By doing this you can create a certification authority to validate your infrastructure. Update the local cache using the following commands and install the software:
sudo apt update
sudo apt upgrade sudo apt install strongswan strongswan-pki
Step 2 – Create a Certificate Authority (Setup IKev2 on Ubuntu 20.04)
After you have successfully installed StrongSwan, let's move on to creating certificates. Note, that an IKEv2 server needs a certificate to identify itself to the client. The strongswan-pki package comes with a tool for generating a certification reference and server certifications to help users create certificates.
You must first create multiple directories to save the assets you are working with. It should be noted, that the directory structure is compatible with some of the directories in /etc/ipsec.d. So where we will eventually move all the created items. Here we decide to lock licenses to prevent private files from being seen by other users. To do this, use the following SSH commands:
mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki
Now, you need to generate a root key. The root key is a 4096-bit RSA key using to sign the root certificate reference. So you can execute the following command to generate the key:
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem
Once the key successfully created, you need to run the following commands to create your root certificate reference using this key to sign the root certificate:
ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \ --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pe
Step 3 – How to Generate a Certificate for VPN Server
Once the root certificate created, you can now move on to create a certificate that VPN server will use. It should note that this certificate allows the client to verify the server using CA certification. To do this, first create a private key for the VPN server using the following SSH command:
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem
In the next step, you need to create and sign the VPN server certificate with the certification reference key that you created in the previous step. Therefore, you must execute the following commands in the following order:
Note: You must change the Common Name (CN) and Subject Alternate Name (SAN) to the DNS or IP address of your VPN server in the appropriate commands.
ipsec pki --pub --in ~/pki/private/server-key.pem --type rsa \ ipsec pki --issue --lifetime 1825 \ --cacert ~/pki/cacerts/ca-cert.pem \ --cakey ~/pki/private/ca-key.pem \ --dn "CN=server_domain_or_IP" --san "server_domain_or_IP" \ --flag serverAuth --flag ikeIntermediate --outform pem \ ~/pki/certs/server-cert.pem
Now, you have created all the TLS/SSL files required by StrongSwan, you can move these files to /etc/ipsec.d with the following SSH command:
sudo cp -r ~/pki/* /etc/ipsec.d/
Step 4 – How to Configure StrongSwan
Let’s back up the file for the reference before starting from scratch with the following command:
sudo mv /etc/ipsec.conf{,.original}
Next, you can create and open a new empty configuration file by typing the following command:
sudo nano /etc/ipsec.conf
First you have to tell StrongSwan to record the daemon status and allow duplicate connections to fix the bug. So you need to add the following lines to the /etc/ipsec.conf file:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
Now you have to create a configuration section for the VPN. StrongSwan must also be notified to create the IKEv2 VPN Tunnel. It is then necessary to load this configuration section automatically on startup. Add the following lines to the same file:
conn euro-space-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
Note that if the client is unexpectedly disconnected, you must configure the dead-peer connection to clear the "dangling" connections by appending following lines to the same file:
dpdaction=clear
dpddelay=300s
rekey=no
Next, you need to configure the IPSec server-side parameters:
left=%any
leftid=@server_domain_or_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
Replace server_domain_or_IP with your actual values. Next, you need to configure client-side IPSec parameters such as the range of private IP addresses and DNS servers by adding the following parameters:
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1,1.0.0.1
rightsendcert=never
To receive the credentials when connecting from the client, you should also include the following line:
eap_identity=%identity
So the complete list of parameters in the /etc/ipsec.conf file should look like this:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn euro-space-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server_domain_or_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=1.1.1.1,1.0.0.1
rightsendcert=never
eap_identity=%identity
Save configuration file and exit editor.
Step 5 – How to configure VPN authentication
In the previous section, we've successfully configured the VPN server. But since there're no credentials have configuring yet, we need to write a few items in the special configuration file ipsec.secrets.
Open the file with the editor:
sudo nano /etc/ipsec.secrets
Add the following commands into the configuration file to tell StrongSwan where to find your private key and which access credentials to use:
: RSA "server-key.pem" your_username : EAP "your_password"
Replace your_username and your_password with the desired values. Then save the configuration file and exit. To apply the changes, you must restart the system using the following command:
sudo systemctl restart strongswan
Step 6 – Configure Firewall and Kernel IP Forwarding
In this section, we'll complete the StrongSwan configuration by configuring the firewall to enable VPN traffic through it. Eexecute following SSH commands to enable firewall and allow connections to the UDP ports:
sudo ufw allow OpenSSH sudo ufw enable sudo ufw allow 500,4500/udp
To route and send IPSec packets you need to open one of the UFW configuration files and add some low-level policies. Note, that you must first use the following command to find out which network interface is using on the server to access the Internet:
ip route | grep default
The important point here is that your public interface should follow the word “dev“. For example, the following output shows an interface called eth0:
default via 203.0.113.7 dev eth0 proto static
The next step is to open the /etc/ufw/before.rules file in your text editor:
sudo nano /etc/ufw/before.rules
The next step is to add the following configuration parameters near the top of the file (before the *filter line):
*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT
*mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0]
You must change each instance of eth0 in the above configuration to match the interface name you found with the IP path. Now It’s time to add another block of configuration using the following command after *filter and chain definition lines:
*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT
*mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
Once finished with the above changes, save the file and exit.
If you're using standard IPTABLES firewall, then your configuration parameters would look like this:
*filter -A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT -A INPUT -i eth0 -p udp -m multiport --dports 500,4500 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT *nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE *mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
In order to be able to route from one interface to another, you need to open the UFW kernel configuration file using the following SSH command and change some of the network kernel parameters:
sudo nano /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1
Save the file and exit. To apply the changes, please disable firewall and then re-enable it with the following commands:
Note: After executing the SSH commands, you will be asked to confirm the process. Type Y to re-enable UFW with the new settings.
sudo ufw disable sudo ufw enable
If you're using standard IPTABLES firewall instead of UFW, then please edit /etc/sysctl.conf file instead:
sudo nano /etc/sysctl.conf
and ensure the parameters are set as following:
net.ipv4.ip_forward = 1 # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 net.ipv4.ip_no_pmtu_disc = 1
Save, then reload sysctl and restart StrongSwan:
sudo sysctl -p systemctl restart strongswan
Step 7 – How to Connect to IKEv2 from Ubuntu Linux
Following are the steps you can perform to connect to IKEv2 via Ubuntu 20.04. Update packages and install StrongSwan with the related software:
sudo apt update sudo apt install strongswan libcharon-extra-plugins
Copy the CA certificate to /etc/ipsec.d/cacerts and then disable StrongSwan:
sudo cp /tmp/ca-cert.pem /etc/ipsec.d/cacerts sudo systemctl disable --now strongswan
Configure your VPN username and password in the /etc/ipsec.secrets file:
your_username : EAP "your_password"
Finally, edit the /etc/ipsec.conf file as follows to define your configuration:
config setup
conn euro-space-client
right=server_domain_or_ip
# This must match the "leftid" value in your server configuration
rightid=server_domain_or_ip
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftid=username
leftauth=eap-mschapv2
eap_identity=%identity
auto=start
You may use the following SSH commands to start or stop VPN:
sudo systemctl start strongswan sudo systemctl stop strongswan
Published on: 28-10-2022
