A tutorial about how to setup Ikev2 VPN with Let’s Encrypt SSL
Updated Aug 11, 2022
Fixed Google GCP default eth0 with MTU 1460 UDP/TCP fragmentation
Handle SSL with Acme.sh
## Acme.sh
curl https://get.acme.sh | sh -s [email protected] && apt install socat
acme.sh --server buypass --register-account --accountemail [email protected]
acme.sh --server buypass --days 170 --standalone --issue -d xxx.com
acme.sh --install-cert -d myvpn.com --cert-file /etc/ipsec.d/certs/cert.pem --key-file /etc/ipsec.d/private/privkey.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem
### Certbot
certbot certonly --cert-name xxx.icu --force-renewal
cp /root/.acme.sh/xxxd.icu/xxx.icu.key /etc/ipsec.d/private/privkey.pem
cp /root/.acme.sh/xxxdd.icu/ca.cer /etc/ipsec.d/cacerts/chain.pem
cp /root/.acme.sh/xxxd.icu/fullchain.cer /etc/ipsec.d/certs/fullchain.pem
cp /root/.acme.sh/xxxd.icu/xxx.icu.cer /etc/ipsec.d/certs/cert.pemError message from strongswan
// enable more debug information
nano /etc/ipsec.conf
// Change "cfg from 0 to 2"
charondebug="ike 1, knl 1, cfg 2"
// Error message
EAP-Identity request configured, but not supported
Apr 19 19:54:49 tw-vpn2 charon[2000]: 07[IKE] loading EAP_MSCHAPV2 method failed
Apr 19 19:54:49 tw-vpn2 charon[2000]: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
// To fix this
// Reference: https://ubuntuforums.org/showthread.php?t=2217019
apt install libcharon-extra-plugins libstrongswan-extra-plugins
service strongswan restart
// If you cannot go to Google.com, is MTU overhead
ifconfig eth0 mtu 1500
// Done... shit// Step 1 - install Strongswan and certbot
apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins
// Step 4 - Edit ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 2"
uniqueids=never # allow multiple connection with per account
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24,fd9d:bc11:4021::/64
rightdns=9.9.9.9
rightsendcert=never
eap_identity=%identity
// Step 6 - Edit ipsec.secrets
nano ipsec.secrets
: RSA "privkey.pem"
hakase : EAP "hakase321@"
tensai : EAP "tensai321@"
// Step 7 - Enable and start strongswan
systemctl start strongswan
systemctl enable strongswan
// Step 8 - Enable portfowrding
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1
// Step 9 - save reload sysctl
sysctl -p
systemctl restart strongswan
Iptables configuration
IPv4
*filter
-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 500,4500 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -m conntrack --ctstate NEW -j ACCEPT
*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
// eth0 mtu 1500 on normal VPS
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
// eth0 mtu 1460 on Google GCP
*mangle
-A FORWARD -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -s 10.10.10.0/24 -m tcpmss --mss 1280:1500 -j TCPMSS --set-mss 1310
-A FORWARD -o eth0 -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -s 10.10.10.0/24 -m tcpmss --mss 1280:1500 -j TCPMSS --set-mss 1310
Generate .mobileconfig
- https://alephnull.uk/lets-encrypt-on-demand-ikev2-vpn-debian-ubuntu-ios-username-password-authentication
Refences:
1. https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/ (*)
2. https://redplus.me/post/set-up-ikev2-vpn-for-ios-and-macos-with-local-dns-cache-and-dnscrypt/ (*)
3. https://www.howtoing.com/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
4. https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8
5. https://github.com/trailofbits/algo/tree/master/roles/vpn/templates
6. http://blog.dunkelstern.de/2016/08/07/ikev2-vpn-with-strongswan/
7. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
8. https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/ (FIX MTU problem)
9. Argo vpn MTU :https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
10. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Updated 2018-11-04
Added missing fullchain.pem