IPsec VPN Server and Clients

This article will show you how to install StrongSwan on a server and on iOS, Android, and Windows clients. In this article, the server authenticates with a certificate, and the clients authenticate with a user name and password.

We use a Certificate Authority named ExampleCA and a server named gateway.example.com as examples in this article. You must, of course, replace these by your own choices. Similarly, you must also use your own choices for user name and password.

Server

Begin by visiting DigitalOcean and opening and funding an account. If you use my link, they may reward you with an extra credit when you add funds for the first time. Follow the remainder of the article Basic Linux VPS Set Up from a Windows PC to create and set up your “droplet” (VPS).

This article uses Ubuntu 16.04. If you selected a different Linux distribution, you will need to make appropriate changes to the Linux commands.

When you have created your droplet, install the required packages for StrongSwan:

sudo apt-get install strongswan libcharon-extra-plugins

Note: In Debian 9, also need to install package strongswan-pki.

Unless you are going to use real certificates to authenticate your server(s), make your own Certificate Authority (CA) key:

sudo ipsec pki --gen --outform pem > caKey.pem

sudo mv caKey.pem /etc/ipsec.d/private/caKey.pem

sudo chmod 600 /etc/ipsec.d/private/caKey.pem

Make the CA certificate:

sudo ipsec pki --self --ca --lifetime 3650 --in /etc/ipsec.d/private/caKey.pem --dn "C=CA, O=Example, CN=ExampleCA" --outform pem > caCert.pem

sudo mv caCert.pem /etc/ipsec.d/cacerts/caCert.pem

Long commands may appear over multiple lines on this web page, but must be entered as a single command.

Make the server key:

sudo ipsec pki --gen --outform pem > serverKey.pem

sudo mv serverKey.pem /etc/ipsec.d/private/serverKey.pem

sudo chmod 600 /etc/ipsec.d/private/serverKey.pem

Use your CA to sign the server certificate:

sudo ipsec pki --pub --in /etc/ipsec.d/private/serverKey.pem | sudo ipsec pki --issue --lifetime 365 --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn "C=CA, O=Example, CN=gateway.example.com" --san gateway.example.com --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem

sudo mv serverCert.pem /etc/ipsec.d/certs/serverCert.pem

Edit the StrongSwan IPsec configuration file:

sudo vi /etc/ipsec.conf

Delete the existing contents, and replace them with:

config setup

conn %default
    keyexchange=ikev2
    leftid=gateway.example.com
    leftcert=serverCert.pem
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=10.9.0.0/24
    rightdns=208.67.222.222,208.67.220.220
    dpdaction=clear

conn client
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%identity
    auto=add

Edit the IPsec “secrets” file:

sudo vi /etc/ipsec.secrets

Insert two lines for:

 : RSA serverKey.pem
derek : EAP "RhZ7DwL3b"

Note that there is a space before the colon on the first line. You must, of course, replace the user name and password with your own choices. Remember the user name and password, as you will need them later on when you configure your VPN client(s).

Allow forwarding in Linux kernel by editing the system control configuration file:

sudo vi /etc/sysctl.conf

Uncomment the line:

net.ipv4.ip_forward=1

Make this change effective now:

sudo sysctl -p

Open the firewall, and perform network address translation on outbound packets:

sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT

sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

sudo iptables -A INPUT -p 50 -j ACCEPT

sudo iptables -A INPUT -p 51 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

sudo dpkg-reconfigure iptables-persistent

Finish up the server work by restarting StrongSwan, so that all these changes will be effective:

sudo service strongswan restart

Also make your CA certificate available for download to the client(s) by putting it on a simple webpage, served by Apache, and accessible from the outside world:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo dpkg-reconfigure iptables-persistent

sudo apt-get install apache2

Copy the certificate into place:

sudo openssl x509 -outform der -in /etc/ipsec.d/cacerts/caCert.pem -out /var/www/html/caCert.crt

Create your simple webpage:

sudo vi /var/www/html/cacert.html

Insert some HTML to make the CA certificate available for download by the client(s):

<!DOCTYPE html>
<html>
<head>
<title>Your CA Certificate</title>
</head>
<body>
<h1>Here Is Your CA Certificate</h1>
<p><a href="caCert.crt">caCert.crt</a></p>
</body>
</html>

This is the end of the server set-up.

iOS Client

Go to your iPhone or iPad.

To import the CA certificate, open Safari and visit http://gateway.example.com/cacert.html (where you must, of course, replace the host name by your own choice).

Tap the link to the CA certificate. A wizard will walk you through the steps to install it on your iPad or iPhone.

Tap on Done at the end of the import process.

Installing a Certificate Authority Profile in iOS

Now go to Settings. Click the General section, then scroll down to and select the VPN section.

Click Add VPN Configuration.

Click Done.

Adding a VPN configuration in iOS

To connect to the VPN, select the VPN configuration named StrongSwan.

Toggle the Status switch to the Connected (green) position.

Android Client

Go to your Android phone or tablet.

To import the CA certificate to your Android device, visit http://gateway.example.com/cacert.html in the Chrome browser (NB this will not work if you try it in Firefox).

Tap on the link to the CA certificate. If asked, choose to Complete the action using the Certificate Installer, Just once.

You can leave the certificate name as caCert, and the Credential use as VPN and apps.

Tap OK:

Installing a Certificate Authority in Android

The CA certificate shows up on your Android device under Settings, General, Security, Trusted credentials, on the User tab:

User trusted credential in Android

Install the StrongSwan VPN Client from the Google Play Store:

StrongSwan VPN Client for Android in the Google Play Store

Open the app.

Click ADD VPN PROFILE.

Click Save.

Adding a VPN profile in Android

To connect to the VPN, select the VPN connection for gateway.example.com.

Check the box for I trust this application, and tap OK.

Confirming that you trust this application in Android

The VPN client connects to the VPN server.

Windows Client

Go to your Windows PC.

To download your CA certificate, visit http://gateway.example.com/cacert.html in a browser. Right click on the certificate file, choose Save target as, and save it to your Downloads folder.

To add the CA certificate to your Trusted Root Certification Authorities store:

  1. Open a command window and enter mmc (or search for mmc in the Windows search box and select the Microsoft Management Console).
  2. When it asks you if you want to allow the Microsoft Management Console app to make changes to your PC, click Yes.
  3. From the menu, do File, click Add/Remove Snap-in, Certificates. Click Add to copy this choice across.
  4. Most importantly, select the radio button for Computer account, and then click Next.
  5. Select Local computer, then click Finish.
  6. Click Ok.
  7. In the tree in the left pane, double-click Certificates (Local Computer).
  8. Right-click the Trusted Root Certification Authorities store, then select All tasks, then click Import.
  9. Follow the steps in the Certificate Import Wizard to browse to and import the file caCert.crt from your Downloads folder. You should end up with a message saying that the import was successful.
  10. Close the Microsoft Management Console windows. When asked if you want to save settings, select No.

Your ExampleCA certificate now appears in the Trusted Root Certification Authorities store:

Certificate Authority Trusted Root Certification Authority in Windows Microsoft Management Console

To add a VPN connection, click the Start button, then select Settings, then Network & Internet, then VPN.

Click the button for + Add a VPN connection.

Important note: When I set the VPN type to IKEv2, the VPN did not work. I could connect to the VPN gateway and authenticate okay, but all traffic to the outside world was sent over my PC’s non-VPN Ethernet connection. The StrongSwan VPN was marked as having no Internet access. The workaround, as above, was to set the VPN type to Automatic.

Editing a VPN connection in Windows 10

Click Save.

To connect to the VPN, select the VPN connection named StrongSwan.

Press Connect.

Linux Client

Unfortunately, at the time of writing, there was a problem with network-manager-strongswan version 1.3.1 (issue #1429) that prevented adding StrongSwan VPNs in GNOME Network Manager. This issue affected Debian 8 Jessie and Ubuntu 16.04, among others. Package version 1.4.1 in Debian 9 Stretch allows Strongswan to work with Network Manager in Linux.

Editing a VPN connection in Linux