If you’re in need of a client-to-site VPN solution, IKEv2 IPSec is a great choice. It offers several advantages over other VPN protocols like OpenVPN or Wireguard. IKEv2 IPSec is particularly useful for individuals who are frequently on the move and require a VPN solution that can be easily connected to without the need for downloading a client or dealing with complex authentication processes. In this tutorial, we will guide you through the process of setting up an IKEv2 IPSec VPN using strongSwan, along with Let’s Encrypt SSL certificates, on a Rocky Linux 9 server. You will also learn how to connect to the VPN using various clients such as Windows, macOS, Linux, and Android.

Prerequisites

Before we begin, make sure you have the following:

• A server running Rocky Linux 9 with upgraded specifications based on the number of users connecting to it.
• A non-root user with sudo privileges.
• A fully qualified domain name (FQDN) like vpn.example.com.

Ensure that your system is updated by running the following command:

$ sudo dnf update

You will also need to install a few packages on your system. Run the following command to install the necessary packages:

$ sudo dnf install wget curl nano unzip yum-utils -y

Step 1 – Configure Networking and Firewall

To begin, we need to configure networking and firewall settings on our Rocky Linux 9 server.

1. Enable IP packet forwarding in the kernel options by running the following command:

$ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
$ sudo sysctl -p

2. Add the IPSec service to the Firewalld firewall by running the following command:

$ sudo firewall-cmd --permanent --add-service=ipsec

3. Open the HTTP and HTTPS ports by running the following commands:

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https

4. Allow NAT packet forwarding (IP masquerading) by running the following command:

$ sudo firewall-cmd --permanent --add-masquerade

5. Reload the firewall to apply the changes by running the following command:

$ sudo firewall-cmd --reload

Step 2 – Install SSL

Next, we will install Certbot to generate the SSL certificate. Since Rocky Linux 9 does not ship with Snapd, we will first install the Snapd installer.

1. Install the EPEL repository by running the following command:

$ sudo dnf install -y epel-release

2. Install Snapd by running the following command:

$ sudo dnf install -y snapd

3. Enable and start the Snap service by running the following command:

$ sudo systemctl enable snapd --now

4. Install the Snap core package and ensure that Snapd is up to date by running the following command:

$ sudo snap install core && sudo snap refresh core

5. Create the necessary links for Snapd to work by running the following command:

$ sudo ln -s /var/lib/snapd/snap/snap
$ echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' | sudo tee -a /etc/profile.d/snapd.sh

6. Install Certbot by running the following command:

$ sudo snap install --classic certbot

7. Create a symbolic link to the /usr/bin directory to ensure that the Certbot command can be run by running the following command:

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

8. Verify the installation by running the following command:

$ certbot --version

If the installation was successful, you should see the Certbot version.

9. Finally, generate an SSL certificate by running the following command:

$ sudo certbot --key-type rsa certonly --standalone --agree-tos --no-eff-email --preferred-challenges http -m test@example.com -d vpn.example.com

This command will download the SSL certificate to the /etc/letsencrypt/live/vpn.example.com directory on your server. To ensure that SSL renewal is working fine, you can do a dry run of the process by running the following command:

$ sudo certbot renew --dry-run

If there are no errors, your certificate will automatically renew.

Step 3 – Install strongSwan

In this step, we will install strongSwan, an open-source cross-platform IPSec-based VPN solution.

1. Install strongSwan by running the following command:

$ sudo dnf install strongswan

2. Create symlinks for the SSL certificates in the /etc/strongswan/swanctl directory by running the following commands:

$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/strongswan/swanctl/x509
$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/strongswan/swanctl/private
$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/chain.pem /etc/strongswan/swanctl/x509ca

3. Create a strongSwan configuration file and open it for editing by running the following command:

$ sudo nano /etc/strongswan/swanctl/conf.d/my_vpn.conf

4. Paste the following code into the file:

connections {
    ikev2-eap-mschapv2 {
        version = 2
        proposals = aes256-sha256-modp4096,aes256-sha256-modp2048,aes256gcm16-sha256-modp1024
        rekey_time = 0s
        pools = pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        send_cert=always
        unique = never
        local {
            id = vpn.example.com
            certs = fullchain.pem
        }
        remote {
            auth = eap-mschapv2
            eap_id = %any
        }
        children {
            ikev2-eap-mschapv2 {
                local_ts = 0.0.0.0/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes256-sha256-sha1
            }
        }
    }
}

pools {
    pool-ipv4 {
        addrs = 10.1.1.0/24
        dns = 1.1.1.1, 8.8.8.8
    }
}

secrets {
    eap-User1 {
        id = username1
        secret = "password1"
    }
}

5. Save the file by pressing Ctrl + X and entering Y when prompted.
6. If you wish to tunnel both IPv4 and IPv6 through the VPN, you need to assign an IPv6 pool, DNS, and local subnet. Replace the values of the variables local_ts,addrs, and dns with the appropriate values.
7. Disable the OpenSSL plugin because OpenSSL on Rocky Linux 9 does not allow RSA signatures with SHA-1, causing authentication failures. Run the following command:

$ sudo sed -i "s/load = yes/load = no/" /etc/strongswan/strongswan.d/charon/openssl.conf

8. Enable and start the strongSwan service by running the following commands:

$ sudo systemctl enable strongswan
$ sudo systemctl start strongswan

Step 4 – Connecting via Windows

To connect to the VPN using a Windows client, follow these steps:

1. Open the Settings application and select the Network and Internet menu option.
2. Select the VPN menu and click the Add a VPN connection button.
3. Fill in the necessary details and click the Save button.
4. Select the VPN you added and click the Connect button to start the VPN.

Step 5 – Connecting via macOS

To connect to the VPN using a macOS client, follow these steps:

1. Open System Preferences and click the Network icon.
2. Click the plus (+) sign on the top right to add a new service.
3. Select VPN as the Interface and IKEv2 as the VPN Type.
4. Enter the necessary details and click the Create button.
5. Enter your domain name as the Server Address and Remote ID.
6. Leave the Local ID field empty.
7. Click the Authentication Settings button to open a new popup.
8. Select Username as the Authentication Settings and enter your credentials.
9. Click the Ok button to save the settings.
10. Click the Apply button at the bottom to save the settings.
11. Click the Connect button to connect to the VPN.

Step 6 – Connecting via Android

To connect to the VPN using an Android client, follow these steps:

1. Open the Android Settings and go to the Network and Internet menu.
2. Click the VPN menu and then click the plus (+) sign to add the VPN profile.
3. Enter the necessary details and click the Save button.
4. Select the Connection name and click Connect to start using the VPN.

Step 7 – Connecting via iOS

To connect to the VPN using an iOS client, follow these steps:

1. Open the iOS settings and click on the General menu.
2. Click the VPN menu and select IKEv2 as the VPN Type.
3. Enter the necessary details and click Done.
4. Tap on the switch to connect to the VPN.

Conclusion

Congratulations! You have successfully set up an IKEv2 IPSec VPN using strongSwan and Let’s Encrypt SSL on a Rocky Linux 9 server. You have also learned how to connect to the VPN using various clients such as Windows, macOS, Linux, and Android. With this secure VPN solution, you can now enjoy a private and encrypted connection for your remote access needs.

If you have any questions or need further assistance, feel free to reach out to us. We are here to help you.

Shape.host is a leading provider of Linux SSD VPS solutions. With our reliable and scalable cloud hosting services, you can enjoy the benefits of a secure and high-performance infrastructure. If you are looking for a hosting solution that combines cutting-edge technology with exceptional customer support, look no further than Shape.host. Visit us at Shape.host to explore our range of services and find the perfect solution for your business.