How to Install and Configure IPsec VPN with StrongSwan on Ubuntu 22.04

IPsec VPN is a secure method for connecting devices or networks over the internet by encrypting and protecting the data being transmitted. It ensures that only authorized users can access the data and keeps the information private, even on public networks. By creating a secure "tunnel", IPsec safeguards communication from hackers or unauthorized access. It's often used to let remote workers safely connect to company networks or link different office locations over the internet

In this guide, we will show you how to install and configure an IPsec VPN using StrongSwan on Ubuntu 22.04, specifically utilizing the strongswan-starter.service.

Prerequisites

A server running Ubuntu 22.04.
Root or sudo privileges.

Update the System

Before installing any packages, ensure your system is up to date:

apt update -y
apt upgrade -y

Install StrongSwan

StrongSwan is an open-source software that implements the IPsec protocol to create secure VPN connections. It encrypts data to protect it as it travels over the internet and supports site-to-site and remote access VPNs.

To install StrongSwan, use the following command:

apt install strongswan strongswan-pki -y

This will install StrongSwan and its certificate management utilities.

Generate Certificates for IPsec (Optional)

Create the CA certificate:

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=US, O=YourCompany, CN=YourCompany Root CA" --ca --lifetime 3650 --outform pem > caCert.pem

Ensure country code (C) is correct. And replace organization name (O) and common name (CN) with relevant details.

Create the server certificate:

ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --lifetime 3650 --cacert caCert.pem --cakey caKey.pem --dn "C=US, O=VPN, CN=your_server_ip or Domain_name" --san="your_server_ip or Domain_name" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem

Replace the --dn and --san values with your actual domain name or server IP and with relevant details.

Copy the certificates to the proper directories:

cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/

Configure StrongSwan for IPsec VPN

Modify the StrongSwan configuration file to set up the VPN.

Open the StrongSwan configuration file:

nano /etc/ipsec.conf

Add the following configuration:

config setup
    charondebug="ike 2, knl 2, cfg 2"

conn %default
    keyexchange=ikev2
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftauth=pubkey
    leftcert=serverCert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

conn IPSec-IKEv2
    auto=add

To customize the VPN configuration, you can review the details of each command by checking the documentation available here.

Global Configuration (`config setup`)

charondebug="ike 2, knl 2, cfg 2": Sets the logging level for the IKE (Internet Key Exchange), kernel, and configuration components. The values indicate a moderate level of verbosity.

Default Connection Parameters (`conn %default`)

keyexchange=ikev2: Specifies that IKEv2 is used as the key exchange protocol.
ike=aes256-sha256-modp2048!: Configures the algorithms for the IKE phase with AES-256 encryption, SHA-256 for integrity, and MODP-2048 as the Diffie-Hellman group.
esp=aes256-sha256!: Configures the algorithms for the ESP (Encapsulating Security Payload) phase with AES-256 encryption and SHA-256 for integrity.
dpdaction=clear: Configures the Dead Peer Detection (DPD) action to clear the connection if the peer is unresponsive.
dpddelay=300s: Sets the interval for DPD checks to 300 seconds.
rekey=no: Disables rekeying of the connection.
left=%any: Specifies the local endpoint, allowing any IP address.
leftauth=pubkey: Uses public key authentication for the local endpoint.
leftcert=serverCert.pem: Specifies the certificate file for the local endpoint.
leftsendcert=always: Always sends the local certificate to the peer.
leftsubnet=0.0.0.0/0: Defines the subnet that the local endpoint can access.
right=%any: Specifies the remote endpoint, allowing any IP address.
rightauth=eap-mschapv2: Uses EAP-MSCHAPv2 for authentication on the remote endpoint.
rightdns=8.8.8.8,8.8.4.4: Specifies the DNS servers for the remote endpoint.
rightsourceip=10.10.10.0/24: Defines the IP range to be assigned to clients.
rightsendcert=never: Configures the remote endpoint to never send its certificate.
eap_identity=%identity: Uses the user identity provided by the client for authentication.

Specific Connection (`conn IPSec-IKEv2`)

auto=add: Automatically adds the connection when the IPsec service starts.

Add VPN Users

Next, add users that will authenticate to the VPN. Edit the ipsec.secrets file:

nano /etc/ipsec.secrets

Add users in the following format:

username : EAP "password"

Replace the username and 'paasword' with your actual username and password.

Enable and Start the strongswan-starter.service

To manage the StrongSwan VPN using the strongswan-starter.service, enable and start the service as follows:

Enable the service to start at boot:

systemctl enable strongswan-starter.service

Start the service:

systemctl start strongswan-starter.service

Verify the service is running:

systemctl status strongswan-starter.service

Configure the Firewall

If your server has active firewall, ensure the necessary ports for IPsec VPN are open in the firewall:

ufw allow 500,4500/udp
ufw enable
ufw reload

Connect to the VPN:

After installing and configuring the IPsec VPN using strongSwan, you can access it by logging into a VPN application or client, which typically needs to be installed on your local system/device.

To connect, use any IPsec/IKEv2 compatible client and provide the server’s IP address, along with your username and password.

In this guide,

CrownCloud

Get a SSD powered KVM VPS at $4.5/month!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Use Code:

WELCOME

for 10% off!

Get Started Now!

CrownCloud - Get a SSD powered KVM VPS at $4.5/month!

Use the code `WELCOME` for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS

Get Started Now!

Global Configuration (config setup)

Default Connection Parameters (conn %default)

Specific Connection (conn IPSec-IKEv2)