This article will show you how to install StrongSwan on a server and on iOS, Android, and Windows clients. In this article, the server authenticates with a certificate, and the clients authenticate with a user name and password.
We use a Certificate Authority named ExampleCA and a server named gateway.example.com as examples in this article. You must, of course, replace these by your own choices. Similarly, you must also use your own choices for user name and password.
Begin by visiting DigitalOcean and opening and funding an account. If you use my link, they may reward you with an extra credit when you add funds for the first time. Follow the remainder of the article Basic Linux VPS Set Up from a Windows PC to create and set up your “droplet” (VPS). For China, you will likely get the best performance if you locate your droplet in San Francisco.
This article uses Ubuntu 16.04. If you selected a different Linux distribution, you will need to make appropriate changes to the Linux commands.
When you have created your droplet, install the required packages for StrongSwan:
sudo apt-get install strongswan libcharon-extra-plugins
Note: In Debian 9, also need to install package
Unless you are going to use real certificates to authenticate your server(s), make your own Certificate Authority (CA) key:
sudo ipsec pki --gen --outform pem > caKey.pem
sudo mv caKey.pem /etc/ipsec.d/private/caKey.pem
sudo chmod 600 /etc/ipsec.d/private/caKey.pem
Make the CA certificate:
sudo ipsec pki --self --ca --lifetime 3650 --in /etc/ipsec.d/private/caKey.pem --dn "C=CA, O=Example, CN=ExampleCA" --outform pem > caCert.pem
sudo mv caCert.pem /etc/ipsec.d/cacerts/caCert.pem
Long commands may appear over multiple lines on this web page, but must be entered as a single command.
Make the server key:
sudo ipsec pki --gen --outform pem > serverKey.pem
sudo mv serverKey.pem /etc/ipsec.d/private/serverKey.pem
sudo chmod 600 /etc/ipsec.d/private/serverKey.pem
Use your CA to sign the server certificate:
sudo ipsec pki --pub --in /etc/ipsec.d/private/serverKey.pem | sudo ipsec pki --issue --lifetime 365 --cacert /etc/ipsec.d/cacerts/caCert.pem --cakey /etc/ipsec.d/private/caKey.pem --dn "C=CA, O=Example, CN=gateway.example.com" --san gateway.example.com --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
sudo mv serverCert.pem /etc/ipsec.d/certs/serverCert.pem
Edit the StrongSwan IPsec configuration file:
sudo vi /etc/ipsec.conf
Delete the existing contents, and replace them with:
Edit the IPsec “secrets” file:
sudo vi /etc/ipsec.secrets
Insert two lines for:
: RSA serverKey.pem
derek : EAP "RhZ7DwL3b"
Note that there is a space before the colon on the first line. You must, of course, replace the user name and password with your own choices. Remember the user name and password, as you will need them later on when you configure your VPN client(s).
Allow forwarding in Linux kernel by editing the system control configuration file:
sudo vi /etc/sysctl.conf
Uncomment the line:
Make this change effective now:
sudo sysctl -p
Open the firewall, and perform network address translation on outbound packets:
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -A INPUT -p 50 -j ACCEPT
sudo iptables -A INPUT -p 51 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
sudo dpkg-reconfigure iptables-persistent
Finish up the server work by restarting StrongSwan, so that all these changes will be effective:
sudo service strongswan restart
Also make your CA certificate available for download to the client(s) by putting it on a simple webpage, served by Apache, and accessible from the outside world:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo dpkg-reconfigure iptables-persistent
sudo apt-get install apache2
Copy the certificate into place:
sudo openssl x509 -outform der -in /etc/ipsec.d/cacerts/caCert.pem -out /var/www/html/caCert.crt
Create your simple webpage:
sudo vi /var/www/html/cacert.html
Insert some HTML to make the CA certificate available for download by the client(s):
<title>Your CA Certificate</title>
<h1>Here Is Your CA Certificate</h1>
This is the end of the server set-up.
Go to your iPhone or iPad.
To import the CA certificate, open Safari and visit http://gateway.example.com/cacert.html (where you must, of course, replace the host name by your own choice).
Tap the link to the CA certificate. A wizard will walk you through the steps to install it on your iPad or iPhone.
Tap on Done at the end of the import process.
Now go to Settings. Click the General section, then scroll down to and select the VPN section.Click Add VPN Configuration.
To connect to the VPN, select the VPN configuration named StrongSwan.
Toggle the Status switch to the Connected (green) position.
Go to your Android phone or tablet.
To import the CA certificate to your Android device, visit http://gateway.example.com/cacert.html in the Chrome browser (NB this will not work if you try it in Firefox).
Tap on the link to the CA certificate. If asked, choose to Complete the action using the Certificate Installer, Just once.
You can leave the certificate name as caCert, and the Credential use as VPN and apps.
The CA certificate shows up on your Android device under Settings, General, Security, Trusted credentials, on the User tab:
Install the StrongSwan VPN Client from the Google Play Store:
Open the app.Click ADD VPN PROFILE.
To connect to the VPN, select the VPN connection for gateway.example.com.
Check the box for I trust this application, and tap OK.
The VPN client connects to the VPN server.
Go to your Windows PC.
To download your CA certificate, visit http://gateway.example.com/cacert.html in a browser. Right click on the certificate file, choose Save target as, and save it to your Downloads folder.
To add the CA certificate to your Trusted Root Certification Authorities store:
Your ExampleCA certificate now appears in the Trusted Root Certification Authorities store:
To add a VPN connection, click the Start button, then select Settings, then Network & Internet, then VPN.
Click the button for + Add a VPN connection.
Important note: When I set the VPN type to IKEv2, the VPN did not work. I could connect to the VPN gateway and authenticate okay, but all traffic to the outside world was sent over my PC’s non-VPN Ethernet connection. The StrongSwan VPN was marked as having no Internet access. The workaround, as above, was to set the VPN type to Automatic.
To connect to the VPN, select the VPN connection named StrongSwan.
Unfortunately, at the time of writing, there was a problem with network-manager-strongswan version 1.3.1 (issue #1429) that prevented adding StrongSwan VPNs in GNOME Network Manager. This issue affected Debian 8 Jessie and Ubuntu 16.04, among others. Package version 1.4.1 in Debian 9 Stretch allows Strongswan to work with Network Manager in Linux.