IKEv2 Server in Debian (EAP-MSCHAPv2 only)

IKev2 Server using StrongSwan

The most secure setup using IKev2 is IKEv2 Mutual RSA + MSCHAPv2 However, I'm not setting it here right now, as I have only set it in OPNsense (Have no time to test linux server) Maybe I will update if I have time to figure out the value of rightauth2

1. Install StrongSwan to Debian

Get superuser

sudo -i

Install StrongSwan packages

apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y

2. Generate certificates

Create folders to store certs and keys, then mod the permission of access

mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki

Generate CA key

pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem

Generate CA certificate from key "VPN root CA" can be changed to any name you like for your CA cert

pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
    --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem

Generate server key

pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Generate server cert Note: you need to change a.bname.com to your own ddns name

pki --pub --in ~/pki/private/server-key.pem --type rsa \
    | pki --issue --lifetime 1825 \
        --cacert ~/pki/cacerts/ca-cert.pem \
        --cakey ~/pki/private/ca-key.pem \
        --dn "CN=a.bname.com" --san a.bname.com \
        --flag serverAuth --flag ikeIntermediate --outform pem \
    >  ~/pki/certs/server-cert.pem

Copy all generated certificates to ipsec.d folder

cp -r ~/pki/* /etc/ipsec.d/

3. Configure IPSec server

remove default ipsec config and create new one

rm /etc/ipsec.conf
nano /etc/ipsec.conf

Config ipsec.conf as follow (Advised to copy to notepad first) Remember to change the following values: a.bname.com : the DDNS you are using 192.168.212.0 : the subnet you want to assign to IPSec 1.1.1.1 : The DNS server you want to use

config setup
        charondebug="ike 1, knl 1, cfg 0"
         uniqueids = no

conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        [email protected]
        leftcert=server-cert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightauth=eap-mschapv2
        rightsourceip=192.168.212.0/24
        rightdns=1.1.1.1,1.0.0.1
        rightsendcert=never
        eap_identity=%identity
        ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384!
        esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256!

Configure ipsec.secrets (your login name and password)

nano /etc/ipsec.secrets

Configure the file as follow: Remember to change username and password

: RSA "server-key.pem"
username : EAP "password"

Restart IPSec server to apply modifications

systemctl restart strongswan-starter

save your CA-cert for you to connect Copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (For android, you need to save it in .crt format)

cat /etc/ipsec.d/cacerts/ca-cert.pem

Then open UDP 500 and UDP 4500 for your server

4. Example of IPSec in Android (StrongSwan app)

CA cert need to install via Phone setting

PreviousWireGuard Server in Debian NextOPNsense (firewall) with other stuffs

Last updated 1 year ago

Was this helpful?