Advance

How to setup IKev2 on centos 8 complete

How to setup IKev2 on centos 8 complete

[Updated] The most commonly used protocol today is called Internet Key Exchange (IKE). The first version was released in 1998 and its common name is IKEv1. Because the first version of IKE was used by IPsec by default. The IKEv1 specification upgraded its hidden parts, and in 2005, IKEv2 was created. With this update, the protocol became more reliable and more resilient to DOS attacks. IKEv2 is an IPsec-based protocol that stands for Internet Key Exchange Version 2. In this article, we are going to teach you to step by step How to Setup IKev2 on centos 8. You can visit the packages available in Eldernode if you wish to purchase a CentOS VPS server.

Tutorial Setup IKev2 on CentOS 8

At first, it’s good to introduce StrongSwan software for you and after that let’s setup and lets to How to Setup IKev2 on CentOS 8.

Recommended Article: How to Setup OpenVPN On Windows Server 2019

What is StrongSwan?

By visiting the Strongswan website, you will realize, StrongSwan is an open-source multiplatform IPsec implementation. It’s an IPsec-based VPN solution that focuses on strong authentication mechanisms. StrongSwan offers support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or pre-shared keys, and secure IKEv2 EAP user authentication.

After reading the what is StrongSwan section, now we are going to teach you How to setup IKev2 on centos 8 step by step and finally run a VPN server on CentOS 8.

Prerequisites to Setup IKev2 on CentOS 8

It is important to prepare the following prerequisites before launching IKev 2 on CentOS 8. After preparing these prerequisites, you can follow the setup steps in the next section:

_ Fresh CentOS 8 Server

_ Root privileges

How to setup IKev2 on CentOS 8

To setup IKev2 on centos 8, you need to follow the following sections in order.

Install StrongSwan on CentOS 8

In this first step, we will install the Strongswan IPsec implement software and all packages needed from the EPEL repository. So add EPEL repo with the following command:

dnf install epel-release

After the EPEL repository installed successfully, run the following command for installing StronsSwan:

dnf install strongswan

Generate SSL Certificate by Let’s Encrypt

To generate a certificate, you need a domain and a subdomain to point to this server. So we choose vpn.eldernode.com record on our DNS and you have to choose your record and replace all records we use our domain name.

At first, you need to install the Let’s encrypt bot with the following command:

wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto

After that, make it executable with the following command:

chmod +x /usr/local/bin/certbot-auto

Now certbot tool install and ready to generate SSL for your server.

To generate SSL with let’s encrypt, you need to open HTTP and HTTPS port, for this instruction please following these commands:

firewall-cmd --add-service=http --permanent  
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Remember Don’t turn off or disable Firewalld, because we need Firewalld service later.

Now you can generate a new SSL and get a certificate file for your VPN server:

certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email your [email protected] -d vpn.eldernode.com

Note: Please change the email to your mail and change vpn.eldernode.com to your domain name.

After the complete command, you’ll see congratulation! and now using your SSL certificate

Next, you need to copy the certificate files ‘fullchain.pem‘, ‘privkey.pem‘, and the ‘chain.pem‘ to the ‘/etc/strongswan/ipsec.d/‘ directory.

cp /etc/letsencrypt/live/vpn.eldernode.com/fullchain.pem /etc/strongswan/ipsec.d/certs/  
cp /etc/letsencrypt/live/vpn.eldernode.com/privkey.pem /etc/strongswan/ipsec.d/private/  
cp /etc/letsencrypt/live/vpn.eldernode.com/chain.pem /etc/strongswan/ipsec.d/cacerts/

We use our domain name, so certbot creates a directory for SSL with our server name. for you, certbot creates and generates SSL on your domain name directory.

Recommended Article: How to setup IKev2 on centos 8 complete

How to Configure StrongSwan as IKev2 VPN Server

Go to /etc/strongswan directory and take a backup from ipsec.conf, using the following commands:

cd /etc/strongswan  
mv ipsec.conf ipsec.conf.original

after that, you create a new ipsec.conf with the following command:

vi ipsec.conf

you could use any editor on centos 8 like vim or nano for creating and edit files. Then copy and paste the following configuration on ipsec.conf file:

config setup      uniqueids=never # for allow multiple connections per user      charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"  conn %default      fragmentation=yes      closeaction=restart      rekey=no      dpdaction=clear      keyexchange=ikev2      compress=yes      dpddelay=35s      lifetime=3h      ikelifetime=12h      ike=aes256gcm16-prfsha512-ecp384!      esp=aes256gcm16-ecp384!      left=%any      [email protected]      leftcert=fullchain.pem      leftsendcert=always      leftsubnet=0.0.0.0/0      right=%any      rightid=%any      rightauth=eap-mschapv2      rightsourceip=192.168.20.0/24      rightdns=1.1.1.1,8.8.4.4      rightsendcert=never      eap_identity=%identity  conn ikev2-pubkey      auto=add

Note: Replace your domain name instead of our domain name on the configuration.

After that, Save and exit from the file. Now, we want to create some users for connecting to the server. So the following command to open ipsec.secret file:

vi ipsec.secrets

copy and paste the following configuration on the file and save and exit. for more information, you can add more users like see on the configuration:

: RSA "privkey.pem"  alex : EAP "alex@4re4"  john : EAP "johni#poe"

Enable and start StrongSwan service with the following command:

systemctl enable strongswan  
systemctl start strongswan

Now Strongswan service is activated and run, you can check with the following command:

systemctl status strongswan

How to Enable NAT in Firewalld

In previous articles, we introduce Firewalld and learn how to use it. if you need to learn about Firewalld, you could read the Configure firewalld on centos 8.

In this step, you will enable AH, ESP, and NAT masquerading on Firewalld with a rich-rule configuration. You can add ipsec UDP ports and services using the following commands:

firewall-cmd --zone=public --permanent --add-port=4500/udp  
firewall-cmd --zone=public --permanent --add-port=500/udp  
firewall-cmd --zone=public --permanent --add-service="ipsec"

You can then add AH and ESP to Firewalld by executing the following commands for authentication and encryption protocol:

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'  
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'

Now enable NAT and reload the Firewalld configuration rules:

firewall-cmd --zone=public --permanent --add-masquerade  
firewall-cmd --reload

How to Enable port-forwarding on sysctl

For enabling port forwarding on CentOS 8, you need to edit sysctl.conf file. First, edit /etc/sysctl.conf file with the following command:

vi /etc/sysctl.conf

After the open file with an editor, copy and paste the following configuration, save, and exit:

net.ipv4.ip_forward = 1  net.ipv4.conf.all.accept_redirects = 0  net.ipv4.conf.all.send_redirects = 0

You need to reload sysctl configuration with the command below:

sysctl -p

Now port forwarding is enabled and you just need to restart Strongswan service:

systemctl restart strongswan

Great. your IKev2 VPN server on CentOS 8 is ready and you use it on iPhone, Windows, android Strongswan app, iMac and etc.

Conclusion

In this article, we try to learn you How to setup IKev2 on centos 8 step by step. Now if you have any questions, you comment on the below page or ask your question on the Eldernode community.

We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way

+8595670151

7 days a week, 24 hours a day