Debian9 setup Ikev2 VPN

A tutorial about how to setup Ikev2 VPN with Let’s Encrypt SSL

We will have a short tutorial getting you set up your own IKEv2 VPN with IPv6 and SSL ready. In this example, I will use Vultr Debian 9 64bit VPS environment. Let us get started.

// Step 1 - install Strongswan and certbot
apt install strongswan certbot 

// Step 2 - generate SSL
certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email [email protected] -d vpn.xxx.io

// Step3 - move cert and key into strongswan dir
cp /etc/letsencrypt/archive/xxx.io/chain.pem /etc/ipsec.d/cacerts/chain.pem
cp /etc/letsencrypt/archive/xxx.io/fullchain.pem /etc/ipsec.d/certs/fullchain.pem
cp /etc/letsencrypt/archive/xxx.io/cert.pem /etc/ipsec.d/certs/cert.pem
cp /etc/letsencrypt/archive/xxx.io/privkey.pem /etc/ipsec.d/private/privkey.pem

// Step 4 - Edit ipsec.conf
#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

#define new ipsec connection
conn hakase-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24,fd9d:bc11:4021::/64
    rightdns=1.1.1.1,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

// Step 6 - Edit ipsec.secrets
nano ipsec.secrets

: RSA "privkey.pem"
hakase : EAP "[email protected]"
tensai : EAP "[email protected]"

// Step 7 - Enable and start strongswan
systemctl start strongswan
systemctl enable strongswan

// Step 8 - Enable portfowrding
nano /etc/sysctl.conf

net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1

// Step 9 - save reload sysctl
sysctl -p
systemctl restart strongswan

Iptables configuration

IPv4

*filter
....
-A INPUT -p udp -m multiport --dports 500,4500,22 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT

*nat
... 
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

Generate .mobileconfig

  1. https://alephnull.uk/lets-encrypt-on-demand-ikev2-vpn-debian-ubuntu-ios-username-password-authentication

Refences:
1. https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/ (*)
2. https://redplus.me/post/set-up-ikev2-vpn-for-ios-and-macos-with-local-dns-cache-and-dnscrypt/ (*)
3. https://www.howtoing.com/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
4. https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8
5. https://github.com/trailofbits/algo/tree/master/roles/vpn/templates
6. http://blog.dunkelstern.de/2016/08/07/ikev2-vpn-with-strongswan/
7. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
8. https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/ (FIX MTU problem)

Updated 2018-11-04 
Added missing fullchain.pem