IKEv2 Server in Debian (EAP-MSCHAPv2 only)

The most secure setup using IKev2 is IKEv2 Mutual RSA + MSCHAPv2 However, I'm not setting it here right now, as I have only set it in OPNsense (Have no time to test linux server) Maybe I will update if I have time to figure out the value of rightauth2

1. Install StrongSwan to Debian

Get superuser

sudo -i

Install StrongSwan packages

apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y

2. Generate certificates

Create folders to store certs and keys, then mod the permission of access

mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki

Generate CA key

pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem

Generate CA certificate from key "VPN root CA" can be changed to any name you like for your CA cert

pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
    --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem

Generate server key

pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Generate server cert Note: you need to change a.bname.com to your own ddns name

Copy all generated certificates to ipsec.d folder

3. Configure IPSec server

remove default ipsec config and create new one

Config ipsec.conf as follow (Advised to copy to notepad first) Remember to change the following values: a.bname.com : the DDNS you are using 192.168.212.0 : the subnet you want to assign to IPSec 1.1.1.1 : The DNS server you want to use

Configure ipsec.secrets (your login name and password)

Configure the file as follow: Remember to change username and password

Restart IPSec server to apply modifications

save your CA-cert for you to connect Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (For android, you need to save it in .crt format)

Then open UDP 500 and UDP 4500 for your server

4. Example of IPSec in Android (StrongSwan app)

CA cert need to install via Phone setting