Strongswan on Debian 8 for iOS 9 Client
This tutorial uses Debian 8. The iOS 9 client could be an iPad or an iPhone.
Make server certificate
We will do most of the work on the server as root. If you are a non-root user, issue the command:
Install the “Let’s Encrypt” client from Github:
apt-get install git cd /etc git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Generate your server certificate. Repeat the next few steps, from opening port 443 down to closing port 443, at certificate renewal time (every 90 days).
iptables -A INPUT -p tcp --dport 443 -j ACCEPT ./letsencrypt-auto certonly --standalone
This runs for several minutes at the “Updating ...” message.
When prompted, enter your email, press Enter for Agree, and when it says enter your Domain, put the hostname of your VPN gateway (e.g. vpn.example.com).
“Let’s Encrypt” puts certificates and keys in
with a symbolic link to the current ones in
To ensure correct permissions, it’s easiest to copy them into the default
directories for ipsec:
cp /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/ipsec.d/certs cp /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/ipsec.d/private
When all is done, close port 443 (unless you need it open for some other reason):
iptables -D INPUT -p tcp --dport 443 -j ACCEPT
Install and configure Strongswan on server
Now install Strongswan and the eap-mschapv2 plugin on your server:
apt-get install strongswan libcharon-extra-plugins
Edit the IPsec configuration file /etc/ipsec.conf and make it read:
config setup conn %default keyexchange=ikev2 leftid=vpn.example.com leftcert=fullchain.pem leftsubnet=0.0.0.0/0 right=%any rightsourceip=10.11.12.0/24 rightdns=220.127.116.11 dpdaction=clear conn iosuser leftsendcert=always rightauth=eap-mschapv2 eap_identity=%identity auto=add
Edit the IPsec “secrets” file /etc/ipsec.secrets and make it read:
: RSA privkey.pem client1 : EAP "secretpasswordgoeshere"
Allow forwarding in the Linux kernel:
Uncomment the line:
Write and quit, and make this change active now:
Open the server firewall for IPsec:
iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 51 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE dpkg-reconfigure iptables-persistent
Restart Strongswan to pick up all these changes, and exit your server:
service strongswan restart exit exit
Configure iOS 9 client
Now go to your iOS 9 device, open Safari, and navigate to:
Select the menu item “Technology” and the submenu item “Certificates”.
Click on the “Let’s Encrypt Authority X1” in PEM format.
Follow the prompts to install this certificate as a “Profile” on your iOS 9 device.
Now you can add a VPN that uses this “Profile” (Settings > General > VPN > Add VPN Configuration).
- The type is the default of IKEv2
- Description is whatever you want
- Server is vpn.example.com (your server hostname)
- Remote id is vpn.example.com (as specified on server certificate)
- Local id is client1
- Authentication is User authentication
- Username is client1 (as in /etc/ipsec.secrets)
- Password is secretpasswordgoeshere (as in /etc/ipsec.secrets)
Press Done when you have set up all the parameters for your VPN configuration.
You can now connect to your VPN.
If you have any problems connecting, look for error messages on the server:
sudo tail /var/log/syslog