In this tutorial, we want to talk about How to setup IKev2 on centos 8 step by step. So maybe this tutorial is too long but it is worth.
At first, it’s good to introduce StrongSwan software for you and after that let’s set up and lets to How to setup IKev2 on centos 8.
What is StrongSwan
By visiting the source site, you will realize, StrongSwan is an open-source multiplatform IPsec implementation. It’s an IPsec-based VPN solution that focuses on strong authentication mechanisms. StrongSwan offers support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or pre-shared keys, and secure IKEv2 EAP user authentication.
After reading the what is StrongSwan section, now we going to How to setup IKev2 on centos 8 step by step section and finally run a VPN server on CentOS 8.
- Fresh CentOS 8 Server
- Root privileges
How to setup IKev2 on centos 8
Install StrongSwan on CentOS 8
In this first step, we will install the Strongswan IPsec implement software and all packages needed from the EPEL repository. So add EPEL repo with the following command
dnf install epel-release
After the EPEL repository installed successfully, run the following command for installing StronsSwan
dnf install strongswan
Generate SSL Certificate by Let’s Encrypt
Point: for generate a certificate, you need a domain and a subdomain to point this server. So we choose vpn.eldernode.com record on our DNS and you have to choose your record and replace all records we use our domain name.
At first, you need install Let’s encrypt bot with the following command.
wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto
After that, make it executable with the following command.
chmod +x /usr/local/bin/certbot-auto
Now certbot tool install and ready to generate SSL for your server.
Point: To generate SSL with let’s encrypt, you need to open HTTP and HTTPS port, for this instruction please following these commands.
firewall-cmd --add-service=http --permanent firewall-cmd --add-service=https --permanent firewall-cmd --reload
Now you can generate new SSL and get a certificate file for your VPN server.
certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email your [email protected] -d vpn.eldernode.com
Point: please change the email to your mail and change vpn.eldernode.com to your domain name.
After the complete command, you’ll see congratulation! and now using your SSL certificate
Next, you need to copy the certificate files ‘fullchain.pem‘, ‘privkey.pem‘, and the ‘chain.pem‘ to the ‘/etc/strongswan/ipsec.d/‘ directory.
cp /etc/letsencrypt/live/vpn.eldernode.com/fullchain.pem /etc/strongswan/ipsec.d/certs/ cp /etc/letsencrypt/live/vpn.eldernode.com/privkey.pem /etc/strongswan/ipsec.d/private/ cp /etc/letsencrypt/live/vpn.eldernode.com/chain.pem /etc/strongswan/ipsec.d/cacerts/
Point: we use our domain name, so certbot creates a directory for SSL with our server name. for you, certbot create and generate SSL on your domain name directory.
Configure StrongSwan as IKev2 VPN serve
Go to /etc/strongswan directory and take a backup from ipsec.conf
cd /etc/strongswan mv ipsec.conf ipsec.conf.original
after that, you create new ipsec.conf with the following command.
you could use any editor on centos 8 like vim or nano for creating and edit files.
copy and paste the following configuration on ipsec.conf.
config setup uniqueids=never # for allow multiple connections per user charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn %default fragmentation=yes closeaction=restart rekey=no dpdaction=clear keyexchange=ikev2 compress=yes dpddelay=35s lifetime=3h ikelifetime=12h ike=aes256gcm16-prfsha512-ecp384! esp=aes256gcm16-ecp384! left=%any [email protected]vpn.eldernode.com leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=192.168.20.0/24 rightdns=126.96.36.199,188.8.131.52 rightsendcert=never eap_identity=%identity conn ikev2-pubkey auto=add
Point: replace your domain name instead of our domain name on the configuration.
After that, Save and exit from file.
Now, we want to create some users for connecting to the server. So the following command to open ipsec.secret file.
copy and paste the following configuration on the file and save and exit.
for more information: you can add more users like see on the configuration.
: RSA "privkey.pem" alex : EAP "[email protected]" john : EAP "johni#poe"
Enable and start StrongSwan service with the following command
systemctl enable strongswan systemctl start strongswan
Now Strongswan service is activated and run, you can check with the following command
systemctl status strongswan
Enable NAT in Firewalld
In previous articles, we introduce Firewalld and learn how to use it. if you need to learn about Firewalld, you could read the Configure firewalld on centos 8.
In this step, you will enable AH , ESP, and NAT masquerading on Firewalld with rich-rule configuration.
Add the ipsec UDP ports and service
firewall-cmd --zone=public --permanent --add-port=4500/udp firewall-cmd --zone=public --permanent --add-port=500/udp firewall-cmd --zone=public --permanent --add-service="ipsec"
Add AH and ESP for authentication and encryption protocol to the Firewalld
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept' firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
Now enable NAT and reload the Firewalld configuration rules.
firewall-cmd --zone=public --permanent --add-masquerade firewall-cmd --reload
Enable port-forwarding on sysctl
For enabling port forwarding on centos 8, you need to edit sysctl.conf file.
Edit /etc/sysctl.conf file with the following command
After the open file with an editor, copy and paste the following configuration, save, and exit.
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
Now you need to reload sysctl configuration with the command below.
Now port forwarding is enabled and you just need restart Strongswan service.
systemctl restart strongswan
Great. your IKev2 VPN server on Centos 8 is ready and you use on iPhone, Windows, android Strongswan app, iMac and etc…
In this article “How to setup IKev2 on centos 8 step by step “we try to learn you, how to set up IKeV2 VPN service in a simple way.
Now if you have any questions, you comment on the below page or ask your question on the ASK page on Eldernode.