Debian9 setup Ikev2 VPN

A tutorial about how to setup Ikev2 VPN with Let’s Encrypt SSL

We will have a short tutorial getting you set up your own IKEv2 VPN with IPv6 and SSL ready. In this example, I will use Vultr Debian 9 64bit VPS environment. Let us get started.

Updated June 09 2019

Fixed Google GCP default eth0 with MTU 1460 UDP/TCP fragmentation 👏

Error message from strongswan
// enable more debug information
nano /etc/ipsec.conf

// Change "cfg from 0 to 2"
charondebug="ike 1, knl 1, cfg 2"

// Error message
EAP-Identity request configured, but not supported
Apr 19 19:54:49 tw-vpn2 charon[2000]: 07[IKE] loading EAP_MSCHAPV2 method failed
Apr 19 19:54:49 tw-vpn2 charon[2000]: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

// To fix this 
// Reference: https://ubuntuforums.org/showthread.php?t=2217019

apt install libcharon-extra-plugins libstrongswan-extra-plugins
service strongswan restart

// If you cannot go to Google.com, is MTU overhead
ifconfig eth0 mtu 1500

// Done... shit
// Step 1 - install Strongswan and certbot
apt install strongswan certbot 

// Step 2 - generate SSL
certbot certonly --rsa-key-size 4096 --standalone --agree-tos --no-eff-email --email [email protected] -d walau.io

// Step3 - move cert and key into strongswan dir
cd /etc/letsencrypt/archive/walau.io/

// under your certs dir, copy paste to ipsec

cp chain1.pem /etc/ipsec.d/cacerts/chain.pem
cp fullchain1.pem /etc/ipsec.d/certs/fullchain.pem
cp cert1.pem /etc/ipsec.d/certs/cert.pem
cp privkey1.pem /etc/ipsec.d/private/privkey.pem

// Step 4 - Edit ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 2"
    uniqueids=never # allow multiple connection with per account

#define new ipsec connection
conn hakase-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24,fd9d:bc11:4021::/64
    rightdns=9.9.9.9
    rightsendcert=never
    eap_identity=%identity

// Step 6 - Edit ipsec.secrets
nano ipsec.secrets

: RSA "privkey.pem"
hakase : EAP "[email protected]"
tensai : EAP "[email protected]"

// Step 7 - Enable and start strongswan
systemctl start strongswan
systemctl enable strongswan

// Step 8 - Enable portfowrding
nano /etc/sysctl.conf

net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1

// Step 9 - save reload sysctl
sysctl -p

systemctl restart strongswan

Iptables configuration

IPv4

*filter
-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT

-A INPUT -p udp -m multiport --dports 500,4500 -m conntrack --ctstate NEW -j ACCEPT

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT

*nat
... 
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

// eth0 mtu 1500 on normal VPS
*mangle 
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

// eth0 mtu 1460 on Google GCP
*mangle
-A FORWARD -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -s 10.10.10.0/24  -m tcpmss --mss 1280:1500 -j TCPMSS --set-mss 1310
-A FORWARD -o eth0 -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -s 10.10.10.0/24 -m tcpmss --mss 1280:1500 -j TCPMSS --set-mss 1310

Generate .mobileconfig

  1. https://alephnull.uk/lets-encrypt-on-demand-ikev2-vpn-debian-ubuntu-ios-username-password-authentication

Refences:
1. https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/ (*)
2. https://redplus.me/post/set-up-ikev2-vpn-for-ios-and-macos-with-local-dns-cache-and-dnscrypt/ (*)
3. https://www.howtoing.com/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
4. https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8
5. https://github.com/trailofbits/algo/tree/master/roles/vpn/templates
6. http://blog.dunkelstern.de/2016/08/07/ikev2-vpn-with-strongswan/
7. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
8. https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/ (FIX MTU problem)
9. Argo vpn MTU :https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
10. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Updated 2018-11-04 
Added missing fullchain.pem