Strongswan on Debian 8 for iOS 9 Client

This tutorial uses Debian 8. The iOS 9 client could be an iPad or an iPhone.

Make server certificate

We will do most of the work on the server as root. If you are a non-root user, issue the command:

su -

Install the “Let’s Encrypt” client from Github:

apt-get install git
cd /etc
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Generate your server certificate. Repeat the next few steps, from opening port 443 down to closing port 443, at certificate renewal time (every 90 days).

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
./letsencrypt-auto certonly --standalone

This runs for several minutes at the “Updating ...” message.

When prompted, enter your email, press Enter for Agree, and when it says enter your Domain, put the hostname of your VPN gateway (e.g. vpn.example.com).

“Let’s Encrypt” puts certificates and keys in /etc/letsencrypt/archive/vpn.example.com with a symbolic link to the current ones in /etc/letsencrypt/live/vpn.example.com. To ensure correct permissions, it’s easiest to copy them into the default directories for ipsec:

cp /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/ipsec.d/certs
cp /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/ipsec.d/private

When all is done, close port 443 (unless you need it open for some other reason):

iptables -D INPUT -p tcp --dport 443 -j ACCEPT

Install and configure Strongswan on server

Now install Strongswan and the eap-mschapv2 plugin on your server:

apt-get install strongswan libcharon-extra-plugins

Edit the IPsec configuration file /etc/ipsec.conf and make it read:

config setup
 
conn %default
        keyexchange=ikev2
        leftid=vpn.example.com
        leftcert=fullchain.pem
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=10.11.12.0/24
        rightdns=8.8.8.8
        dpdaction=clear
 
conn iosuser
        leftsendcert=always
        rightauth=eap-mschapv2
        eap_identity=%identity
        auto=add

Edit the IPsec “secrets” file /etc/ipsec.secrets and make it read:

 : RSA privkey.pem
client1 : EAP "secretpasswordgoeshere"

Allow forwarding in the Linux kernel:

vi /etc/sysctl.conf

Uncomment the line:

net.ipv4.ip_forward=1

Write and quit, and make this change active now:

sysctl -p

Open the server firewall for IPsec:

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
dpkg-reconfigure iptables-persistent

Restart Strongswan to pick up all these changes, and exit your server:

service strongswan restart
exit
exit

Configure iOS 9 client

Now go to your iOS 9 device, open Safari, and navigate to:

https://letsencrypt.org

Select the menu item “Technology” and the submenu item “Certificates”.

Click on the “Let’s Encrypt Authority X1” in PEM format.

Follow the prompts to install this certificate as a “Profile” on your iOS 9 device.

Now you can add a VPN that uses this “Profile” (Settings > General > VPN > Add VPN Configuration).

Press Done when you have set up all the parameters for your VPN configuration.

You can now connect to your VPN.

Troubleshoot

If you have any problems connecting, look for error messages on the server:

sudo tail /var/log/syslog

Index of posts

Basic Set Up of PuTTYgen, PuTTY, and VPS for Windows Users

Ten Basic Tasks to Set Up a VPS

Send and Receive Mail from Your VPS

The Easy Way to Build a VPN

Strongswan on Debian 8 for iOS 9 Client

OpenVPN and Stunnel on Ubuntu 15.10 for Windows Client

Shadowsocks on Ubuntu 15.10 for Windows Client

Strongswan on Ubuntu 16.04 for iOS 9 Client

OCserv on Ubuntu 16.04 for iOS 9 AnyConnect Client

V2Ray for Windows Client and Debian Server

Upgrade Consumer Wi-Fi to Enterprise Wi-Fi

Install FreeRADIUS and DaloRADIUS

Witness to the Fullness of Light

Nisargadatta’s Guru