Connecting to IKEv2 VPN server
5.X
Pre-requisites
Required
- strongswan
- libcharon-extra-plugins
- libcharon-extauth-plugins
- libstrongswan-extra-plugins
Optional
- libstrongswan-standard-plugins
Connection configuration
/etc/ipsec.conf
conn vpn
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
eap_identity="$USERNAME"
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=$SERVER_ADDRESS
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
type=tunnel
auto=add
Authentication
/etc/ipsec.secrets
$USERNAME : EAP "$PASSWORD"
Constrains
In /etc/strongswan.d/charon/constraints.conf change load → no.
Certificates
# mv /etc/ipsec.d/cacerts /etc/ipsec.d/cacerts.orig
# ln -s /etc/ssl/certs /etc/ipsec.d/cacerts
Starting the service and connecting to VPN server
# service ipsec start
# ipsec up vpn
Optional
Limiting access to ipsec.conf
# chmod 600 /etc/ipsec.conf
Disabling service on startup
# systemctl disable ipsec
Fixing apparmor profile preventing resolv.conf updates
Corresponding dmesg message looks like
apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" comm="charon" requested_mask="wc" denied_mask="wc"
Add resolv.conf write capability to /etc/apparmor.d/usr.lib.ipsec.charon
@@ -57,2 +57,3 @@
/etc/tnc_config r,
+ /etc/resolv.conf w,
and reload apparmor profile
# apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
6.X
Migrating from 5.X
apt --purge remove strongswan strongswan-starter strongswan-charon
apt install strongswan-swanctl charon-systemd libcharon-extra-plugins strongswan-libcharon
Certificates
Letsencrypt root certificate
cd /etc/swanctl/x509
ln -s /etc/ssl/certs/ISRG_Root_X1.pem
Connection configuration
/etc/swanctl/conf.d/CONNECTION.conf
connections {
CONNECTION {
version=2
local_addrs=%defaultroute
remote_addrs=SERVER_ADDRESS
vips=0.0.0.0,::
local {
auth=eap-mschapv2
eap_id="USERNAME"
}
remote {
auth=pubkey
id=%any
}
children {
CONNECTION {
remote_ts=0.0.0.0/0
}
}
}
}
secrets {
eap-SUFFIX {
id=USERNAME
secret=PASSWORD
}
}
Establishing and closing connections
Connect:
service strongswan start
swanctl --init --child CONNECTION
Disconnect:
swanctl --terminate --ike CONNECTION # terminating just child does not restore resolv.conf
ipsec-like bash alias:
bashrc
ipsec() {
case "$1" in
"start")
command service strongswan start;;
"stop")
command service strongswan stop;;
"up")
command swanctl --init --child "$2";;
"down")
command swanctl --terminate --ike "$2";;
"status")
command systemctl is-active strongswan.service;;
*)
echo "Usage: ipsec [stop | start | status | up CONN | down CONN]";;
esac
}