Introduction

Strongswan as well as other paid versions of IKEv2 VPN (e.g. Cisco ASA) allow creating remote access VPNs with IKEv2. The Main advantage of IKEv2 is it doesn’t need a dedicated client, and it is pre-installed on most common platforms (e.g. iPhone, Windows, Mac etc.). Other benefits are that IKEv2 is much faster to set up a connection (only 3 messages oppose to 6 in IKEv1), native NAT-T support and IKEv2 MOBIKE (it detects roaming IP changes without re-building new SAs’)

ipsec.conf

We will use EAP as authentication, specify to use our cert (standalone cert created with Let’s encrypt) and use 10.45.1.0/24 as a VPN pool for clients.

conn dial-in
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@centos.kuligowski.co.uk
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.45.1.0/24
rightdns=1.1.1.1,1.1.1.3
rightsendcert=never
eap_identity=%identity

ipsec.secrets

All individual usernames along with passwords will go into /etc/strongswa/ipsec.secrets file.

: RSA "privkey.pem"
pawel : EAP "password123"

iptables

We need to allow traffic flowing through are server to the Internet + SNAT it accordingly

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.45.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.15.1.0/24 -j SNAT --to-source 51.75.162.65

Debugging

[root@centos /]# strongswan statusall dial-in
[root@centos /]# tail -f /var/log/messages | grep charon

Leave a Comment

Your email address will not be published. Required fields are marked *