How to Setup IKEv2 VPN Using Strongswan and Let's Encrypt on CentOS 8

How to Setup IKEv2 VPN Using Strongswan and Let's Encrypt on CentOS 8


Linux Articles / All 113 Views comments

Strongswan is an open-source multiplatform IPSec implementation. It is an IPSec-based VPN answer that focuses on robust authentication mechanisms. Strongswan gives help for each IKEv1 and IKEv2 key trade protocols, authentication based mostly on X.509 certificates or pre-shared keys, and safe IKEv2 EAP consumer authentication.

On this tutorial, I'll present you find out how to set up an IPSec VPN server utilizing Strongswan. We'll create an IKEv2 VPN server with the 'EAP-MSCHAPv2' authentication and be utilizing Letsencrypt certificates on CentOS eight server.


  • CentOS eight Server
  • Root privileges

What we'll do?

  • Set up Strongswan on CentOS eight
  • Generate SSL Letsencrypt
  • Configure Strongswan
  • Allow NAT Firewall
  • Allow Port-Forwarding
  • Testing

Step 1 - Set up Strongswan on CentOS eight

On this first step, we'll set up the strongswan IPsec implement software program and all packages wanted from the EPEL repository.

Earlier than putting in the strongswan package deal, you will need to add the EPEL repository to the CentOS eight system.

Add the EPEL repository for CentOS eight server.

sudo dnf set up epel-release

After that, set up the strongswan package deal from the EPEL repository utilizing the dnf command under.

sudo dnf set up strongswan

Watch for the strongswan package deal to be put in.

Install Strongswan

Step 2 - Generate SSL Certificates with Let's encrypt

For this information, we will create the IKEv2 VPN server utilizing a website identify '' and use certificates generated from letsencrypt.

On this step, we'll set up the letsencrypt device 'certbot' manually and generate certificates for the server area identify ''.

Obtain the certbot binary file from GitHub utilizing the wget command under.

wget -O /usr/native/bin/certbot-auto

After that, make it an executable by altering the permission of the file.

chmod +x /usr/native/bin/certbot-auto

And the certbot software for producing Letsencrypt certificates has been put in.

Create SSL Certificate with Let's encrypt

Earlier than producing the Letsencrypt certificates, we have to open the HTTP and HTTPS ports of the server utilizing firewall-cmd.

Add the HTTP and HTTPS providers to the firewalld service listing by operating firewall-cmd instructions under.

firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Now we will generate new SSL certificates information utilizing the letsencrypt device certbot-auto.

Configure the Firewall

Change the e-mail tackle and the area identify with your personal and run the 'certbot-auto' command under.

certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email [email protected] -d

As soon as it is full, you'll get the outcome as under.

Get SSL Certificate with Certbot

All certificates of your area identify are generated to the '/and so on/letsencrypt/stay/' listing.

Subsequent, we have to copy the certificates information 'fullchain.pem', 'privkey.pem', and the 'chain.pem' to the '/and so forth/strongswan/ipsec.d/' listing.

cp /and so on/letsencrypt/reside/ /and so forth/strongswan/ipsec.d/certs/
cp /and so on/letsencrypt/stay/ /and so on/strongswan/ipsec.d/personal/
cp /and so forth/letsencrypt/stay/ /and so forth/strongswan/ipsec.d/cacerts/

All letsencrypt certificates for the Strongswan VPN named '' have been generated and copied to the '/and so on/strongswan/ipsec.d' listing.

tree /and so on/strongswan/ipsec.d/

Certificates for Strongswan

Step three - Configure Strongswan

Go to the '/and so on/strongswan' listing and backup the default 'ipsec.conf 'configuration file.

cd /and so forth/strongswan/
mv ipsec.conf ipsec.conf.asli

Create a brand new one 'ipsec.conf' utilizing vim editor.

vim ipsec.conf

And paste the next configuration.

config setup
uniqueids=by no means # permit a number of connections per consumer
charondebug="ike 2, knl 2, cfg 2, internet 2, esp 2, dmn 2, mgr 2"

conn %default


[email protected]
leftsendcert=all the time

rightsendcert=by no means

conn ikev2-pubkey

Save and exit.

Subsequent, we have to edit the 'ipsec.secrets and techniques' file to outline the RSA server personal key and EAP consumer password credentials.

Edit the 'ipsec.secrets and techniques' file.

vim ipsec.secrets and techniques

Paste the configuration under.

: RSA "privkey.pem"
hakase : EAP "[email protected]"
tensai : EAP "[email protected]"

Save and exit.

And the strongswan IPSec configuration has been accomplished. Add the strongswan service to startup boot time after which begin the service.

systemctl allow strongswan
systemctl begin strongswan

Enable Strongswan Daemon

The strongswan service is up and operating on CentOS eight server, verify it utilizing the next command.

systemctl standing strongswan
netstat -plntu

And you'll be proven the outcome as under.

Strongswan started successfully

Step four - Allow NAT in Firewalld

On this step, we'll allow the NAT masquerading and add the IPSec protocols Authentication Header (AH) and Encapsulating Safety Payload (ESP) on Firewalld utilizing the 'rich-rule' configuration.

Add 'AH' and 'ESP' for authentication and encryption protocols to the firewalld.

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol worth="esp" settle for'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol worth="ah" settle for'

Add the ipsec UDP ports and repair.

firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"

Now allow the NAT mode masquerade and reload the firewalld configuration guidelines.

firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload

Firewall configuration

The NAT mode on firewalld has been enabled, verify utilizing the command under.

firewall-cmd --list-all

Following is the end result.

List Firewall ports

Step 5 - Allow Port-Forwarding

To allow port-forwarding, we have to edit the 'sysctl.conf' file.

Edit the '/and so forth/sysctl.conf' file utilizing vim editor.

vim /and so on/sysctl.conf

Paste the next configuration there.

internet.ipv4.ip_forward = 1
internet.ipv4.conf.all.accept_redirects = zero
internet.ipv4.conf.all.send_redirects = zero

Save and exit, now reload utilizing the sysctl command under.

sysctl -p

Port-forwarding has been enabled. Now restart the strongswan service.

systemctl restart strongswan

Enable Port forwarding

Step 6 - Testing Strongswan IPSec VPN

On this case, we'll do the check on the MacOS X and android telephone.

On MacOS

- Open the 'System Preferences' and click on the 'Community' menu.

Click on the '+' button to create a brand new VPN connection.

    • Interface: 'VPN'
    • VPN Sort: 'IKEv2'
    • Service Identify: 'IKEv2-vpn

Configure VPN on MacOS

- On the 'Server Tackle' and 'Distant ID', sort the VPN area identify ''.
- Click on 'Authentication Settings'.
- Authentication utilizing a 'Username'.
- Sort the username 'tensai' with password '[email protected]'
- Click on 'OK' and click on 'Apply'.

MacOS VPN authentication settings

New IKEv2 VPN connection has been created on the shopper. Now click on the join button.

New IKEv2 VPN connection has been created

And the shopper has been related to the strongswan VPN server and has an inner/personal IP tackle

On Android

- Obtain and set up the native strongswan android software from Google-Play.
- Add new VPN profile
- Sort the server area identify '' and use the IKEv2 EAP Username and Password authentication.

Following is the end result once we hook up with the VPN server.

Configure VPN on Android

The IKEv2 IPSec-based VPN server has been created utilizing Strongswan and Letsencrypt on CentOS eight server.