[Updated] The most commonly used protocol today is called Internet Key Exchange (IKE). The first version was released in 1998 and its common name is IKEv1. Because the first version of IKE was used by IPsec by default. The IKEv1 specification upgraded its hidden parts, and in 2005, IKEv2 was created. With this update, the protocol became more reliable and more resilient to DOS attacks. IKEv2 is an IPsec-based protocol that stands for Internet Key Exchange Version 2. In this article, we are going to teach you to step by step How to Setup IKev2 on centos 8. You can visit the packages available in Eldernode if you wish to purchase a CentOS VPS server.
Tutorial Setup IKev2 on CentOS 8
At first, it’s good to introduce StrongSwan software for you and after that let’s setup and lets to How to Setup IKev2 on CentOS 8.
What is StrongSwan?
By visiting the Strongswan website, you will realize, StrongSwan is an open-source multiplatform IPsec implementation. It’s an IPsec-based VPN solution that focuses on strong authentication mechanisms. StrongSwan offers support for both IKEv1 and IKEv2 key exchange protocols, authentication based on X.509 certificates or pre-shared keys, and secure IKEv2 EAP user authentication.
After reading the what is StrongSwan section, now we are going to teach you How to setup IKev2 on centos 8 step by step and finally run a VPN server on CentOS 8.
Prerequisites to Setup IKev2 on CentOS 8
It is important to prepare the following prerequisites before launching IKev 2 on CentOS 8. After preparing these prerequisites, you can follow the setup steps in the next section:
_ Fresh CentOS 8 Server
_ Root privileges
How to setup IKev2 on CentOS 8
To setup IKev2 on centos 8, you need to follow the following sections in order.
Install StrongSwan on CentOS 8
In this first step, we will install the Strongswan IPsec implement software and all packages needed from the EPEL repository. So add EPEL repo with the following command:
dnf install epel-release
After the EPEL repository installed successfully, run the following command for installing StronsSwan:
dnf install strongswan
Generate SSL Certificate by Let’s Encrypt
To generate a certificate, you need a domain and a subdomain to point to this server. So we choose vpn.eldernode.com record on our DNS and you have to choose your record and replace all records we use our domain name.
At first, you need to install the Let’s encrypt bot with the following command:
wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto
After that, make it executable with the following command:
chmod +x /usr/local/bin/certbot-auto
Now certbot tool install and ready to generate SSL for your server.
To generate SSL with let’s encrypt, you need to open HTTP and HTTPS port, for this instruction please following these commands:
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
Remember Don’t turn off or disable Firewalld, because we need Firewalld service later.
Now you can generate a new SSL and get a certificate file for your VPN server:
certbot-auto certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email your [email protected] -d vpn.eldernode.com
Note: Please change the email to your mail and change vpn.eldernode.com to your domain name.
After the complete command, you’ll see congratulation! and now using your SSL certificate
Next, you need to copy the certificate files ‘fullchain.pem‘, ‘privkey.pem‘, and the ‘chain.pem‘ to the ‘/etc/strongswan/ipsec.d/‘ directory.
cp /etc/letsencrypt/live/vpn.eldernode.com/fullchain.pem /etc/strongswan/ipsec.d/certs/
cp /etc/letsencrypt/live/vpn.eldernode.com/privkey.pem /etc/strongswan/ipsec.d/private/
cp /etc/letsencrypt/live/vpn.eldernode.com/chain.pem /etc/strongswan/ipsec.d/cacerts/
We use our domain name, so certbot creates a directory for SSL with our server name. for you, certbot creates and generates SSL on your domain name directory.
How to Configure StrongSwan as IKev2 VPN Server
Go to /etc/strongswan directory and take a backup from ipsec.conf, using the following commands:
mv ipsec.conf ipsec.conf.original
after that, you create a new ipsec.conf with the following command:
you could use any editor on centos 8 like vim or nano for creating and edit files. Then copy and paste the following configuration on ipsec.conf file:
config setup uniqueids=never # for allow multiple connections per user charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn %default fragmentation=yes closeaction=restart rekey=no dpdaction=clear keyexchange=ikev2 compress=yes dpddelay=35s lifetime=3h ikelifetime=12h ike=aes256gcm16-prfsha512-ecp384! esp=aes256gcm16-ecp384! left=%any [email protected] leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=192.168.20.0/24 rightdns=126.96.36.199,188.8.131.52 rightsendcert=never eap_identity=%identity conn ikev2-pubkey auto=add
Note: Replace your domain name instead of our domain name on the configuration.
After that, Save and exit from the file. Now, we want to create some users for connecting to the server. So the following command to open ipsec.secret file:
copy and paste the following configuration on the file and save and exit. for more information, you can add more users like see on the configuration:
: RSA "privkey.pem" alex : EAP "[email protected]" john : EAP "johni#poe"
Enable and start StrongSwan service with the following command:
systemctl enable strongswan
systemctl start strongswan
Now Strongswan service is activated and run, you can check with the following command:
systemctl status strongswan
How to Enable NAT in Firewalld
In previous articles, we introduce Firewalld and learn how to use it. if you need to learn about Firewalld, you could read the Configure firewalld on centos 8.
In this step, you will enable AH, ESP, and NAT masquerading on Firewalld with a rich-rule configuration. You can add ipsec UDP ports and services using the following commands:
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
You can then add AH and ESP to Firewalld by executing the following commands for authentication and encryption protocol:
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
Now enable NAT and reload the Firewalld configuration rules:
firewall-cmd --zone=public --permanent --add-masquerade
How to Enable port-forwarding on sysctl
For enabling port forwarding on CentOS 8, you need to edit sysctl.conf file. First, edit /etc/sysctl.conf file with the following command:
After the open file with an editor, copy and paste the following configuration, save, and exit:
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
You need to reload sysctl configuration with the command below:
Now port forwarding is enabled and you just need to restart Strongswan service:
systemctl restart strongswan
Great. your IKev2 VPN server on CentOS 8 is ready and you use it on iPhone, Windows, android Strongswan app, iMac and etc.
In this article, we try to learn you How to setup IKev2 on centos 8 step by step. Now if you have any questions, you comment on the below page or ask your question on the Eldernode community.