Setup IKEv2 service on Ubuntu 16.04
This article is simplified for a general purpose IKEv2 VPN proxy running on a freshly installed Ubuntu 16.04.
Reference: http://dcamero.azurewebsites.net/
1. Obtain a certificate for your domain
You can use Let's Encrypt or other CA or generate your own.
Note: During my configuration process, the certificates must be physically present in the path pointed from the ipsec configuration files instead of a symlink, or you may get a Permission Denied error.
2. Install strongSwan and MS-CHAPv2 plugin for username / password authentication
sudo apt install strongswan strongswan-plugin-eap-mschapv2
3. Configure IPsec
Example /etc/ipsec.conf file:
This is a basic configuration that allows username / password authentication and multiple connections for each user.
config setup
strictcrlpolicy=no
uniqueids=no
conn %default
keyexchange=ikev2
ike=aes256gcm128-sha256-ecp256,aes256-sha256-ecp256!
esp=aes256gcm128-sha256-ecp256,aes256-sha256-ecp256,aes256-ecp256,aes256-sha256!
leftid=vpn.example.com
leftsubnet=0.0.0.0/0
leftcert=certificate_with_chain.pem
leftsendcert=always
right=%any
rightsourceip=172.16.0.0/24
rightdns=8.8.8.8
conn main
rightauth=eap-mschapv2
eap_identity=%identity
auto=add
Example /etc/ipsec.secrets file:
: RSA privkey.pem
username : EAP "password"
Certificate and key, in this case should be at:
/etc/ipsec.d/certs/certificate_with_chain.pem/etc/ipsec.d/private/privkey.pem.
4. Configure networking
Uncomment line: net.ipv4.ip_forward=1 in /etc/sysctl.conf to allow forwarding.
Apply change:
sudo sysctl -p
Add iptables rule:
sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
Make the rules persistent:
sudo apt install iptables-persistent
If iptables-persistent is already installed:
dpkg-reconfigure iptables-persistent
5. Restart strongswan
sudo systemctl restart strongswan
To troubleshoot:
sudo journalctl -u strongswan -n 20
View client status:
ipsec status