How to setup IKev2 on centos 8 complete

How to setup IKev2 on centos 8 complete

In this tutorial, we want to talk about How to setup IKev2 on centos 8 step by step. So maybe this tutorial is too long but it is worth.

At first, it’s good to introduce StrongSwan software for you and after that let’s set up and lets to How to setup IKev2 on centos 8.

 

What is StrongSwan

By visiting the source site, you will realize, StrongSwan is an open-source multiplatform IPsec implementation. It’s an IPsec-based VPN solution that focuses on strong authentication mechanisms. StrongSwan offers support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or pre-shared keys, and secure IKEv2 EAP user authentication.

After reading the what is StrongSwan section, now we going to How to setup IKev2 on centos 8 step by step section and finally run a VPN server on CentOS 8.

 

Requirement:
  • Fresh CentOS 8 Server
  • Root privileges

 

How to setup IKev2 on centos 8

 

Install StrongSwan on CentOS 8

In this first step, we will install the Strongswan IPsec implement software and all packages needed from the EPEL repository. So add EPEL repo with the following command

dnf install epel-release

After the EPEL repository installed successfully, run the following command for installing StronsSwan

dnf install strongswan

 

Generate SSL Certificate by Let’s Encrypt

Point: for generate a certificate, you need a domain and a subdomain to point this server. So we choose vpn.eldernode.com record on our DNS and you have to choose your record and replace all records we use our domain name.

At first, you need install Let’s encrypt bot with the following command.

wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto

After that, make it executable with the following command.

chmod +x /usr/local/bin/certbot-auto

Now certbot tool install and ready to generate SSL for your server.

Point: To generate SSL with let’s encrypt, you need to open HTTP and HTTPS port, for this instruction please following these commands.

firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Remember Don’t turn off or disable Firewalld, because we need Firewalld service later.

Now you can generate new SSL and get a certificate file for your VPN server.

certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email your [email protected] -d vpn.eldernode.com

Point: please change the email to your mail and change vpn.eldernode.com to your domain name.

After the complete command, you’ll see congratulation! and now using your SSL certificate

Next, you need to copy the certificate files ‘fullchain.pem‘, ‘privkey.pem‘, and the ‘chain.pem‘ to the ‘/etc/strongswan/ipsec.d/‘ directory.

cp /etc/letsencrypt/live/vpn.eldernode.com/fullchain.pem /etc/strongswan/ipsec.d/certs/
cp /etc/letsencrypt/live/vpn.eldernode.com/privkey.pem /etc/strongswan/ipsec.d/private/
cp /etc/letsencrypt/live/vpn.eldernode.com/chain.pem /etc/strongswan/ipsec.d/cacerts/

Point: we use our domain name, so certbot creates a directory for SSL with our server name. for you, certbot create and generate SSL on your domain name directory.

 

Configure StrongSwan as IKev2 VPN serve

Go to /etc/strongswan directory and take a backup from ipsec.conf

cd /etc/strongswan
mv ipsec.conf ipsec.conf.original

after that, you create new ipsec.conf with the following command.

vi ipsec.conf

you could use any editor on centos 8 like vim or nano for creating and edit files.

copy and paste the following configuration on ipsec.conf.

config setup
    uniqueids=never # for allow multiple connections per user
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"


conn %default
    fragmentation=yes
    closeaction=restart
    rekey=no
    dpdaction=clear
    keyexchange=ikev2
    compress=yes
    dpddelay=35s
    lifetime=3h
    ikelifetime=12h

    ike=aes256gcm16-prfsha512-ecp384!
    esp=aes256gcm16-ecp384!

    left=%any
    [email protected]vpn.eldernode.com
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.20.0/24
    rightdns=1.1.1.1,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

conn ikev2-pubkey
    auto=add

Point: replace your domain name instead of our domain name on the configuration.

After that, Save and exit from file.

Now, we want to create some users for connecting to the server. So the following command to open ipsec.secret file.

vi ipsec.secrets

copy and paste the following configuration on the file and save and exit.

for more information: you can add more users like see on the configuration.

: RSA "privkey.pem"
alex : EAP "[email protected]"
john : EAP "johni#poe"

Enable and start StrongSwan service with the following command

systemctl enable strongswan
systemctl start strongswan

Now Strongswan service is activated and run, you can check with the following command

systemctl status strongswan

 

Enable NAT in Firewalld

In previous articles, we introduce Firewalld and learn how to use it. if you need to learn about Firewalld, you could read the Configure firewalld on centos 8.

In this step, you will enable AH , ESP, and NAT masquerading on Firewalld with rich-rule configuration.

 

Add the ipsec UDP ports and service
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"

 

Add AH and ESP for authentication and encryption protocol to the Firewalld
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'

 

Now enable NAT and reload the Firewalld configuration rules.
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload

 

Enable port-forwarding on sysctl

For enabling port forwarding on centos 8, you need to edit sysctl.conf file.

Edit /etc/sysctl.conf file with the following command

vi /etc/sysctl.conf

After the open file with an editor, copy and paste the following configuration, save, and exit.

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Now you need to reload sysctl configuration with the command below.

sysctl -p

Now port forwarding is enabled and you just need restart Strongswan service.

systemctl restart strongswan

 

Great. your IKev2 VPN server on Centos 8 is ready and you use on iPhone, Windows, android Strongswan app, iMac and etc…

 

Conclusion

In this article “How to setup IKev2 on centos 8 step by step “we try to learn you, how to set up IKeV2 VPN service in a simple way.

Now if you have any questions, you comment on the below page or ask your question on the ASK page on Eldernode.

 

Use of this Site is subject to express terms of use. By using this site, you signify that you agree to be bound by these