insights/content/tutorials/set-up-ikev2-vpn-server-and-clients/index.md

323 lines
15 KiB
Markdown
Raw Normal View History

2023-05-30 06:59:36 +07:00
---
title: "Set Up IKEv2 VPN Server and Clients"
description: "IKEv2 contains improvements such as Standard Mobility support. This is my personal snippet to set up IKEv2 VPN server & clients for multiple servers."
# linkTitle:
date: 2019-07-01T03:50:32+07:00
lastmod:
draft: false
noindex: false
# comments: false
nav_weight: 1000
# nav_icon:
# vendor: bootstrap
# name: toggles
# color: '#e24d0e'
series:
- IPsec VPN
categories:
- Networking
- SysAdmin
tags:
- VPN
- IPsec
- IKEv2
- MacOS
- iPhone
images:
# menu:
# main:
# weight: 100
# params:
# icon:
# vendor: bs
# name: book
# color: '#e24d0e'
authors:
- ditatompel
---
As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully [set up your own IPsec VPN server]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md">}}), and [upgraded Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#upgrade-libreswan) to the latest version due to [CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155/). This for **advanced users** only. Other users please use [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
<!--more-->
## Intro
Modern operating systems support the IKEv2 standard. [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains [improvements](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) such as Standard Mobility support through [MOBIKE](https://tools.ietf.org/html/rfc4555) and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of [X.509](https://en.wikipedia.org/wiki/X.509) Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
- OS X (macOS)
- iOS (iPhone/iPad)
- Android 4.x and newer (using the strongSwan VPN client)
- Windows 7, 8.x and 10
2024-02-24 00:19:46 +07:00
Because IKEv2 use key exchange, and you need to import Server and Client Certificate on your machine. It will be a problem in the future to manage/revoke the imported certificate if you have multiple IKEv2 VPN servers with same root CA Common Name and client certificate username.
2023-05-30 06:59:36 +07:00
This is my personal snippet to set up IKEv2 VPN server & clients for multiple servers. Basically I only add (let say) server name or node name after root CA Common Name and client certificate username.
![Apple Key Chain](apple-keychain-access.png#center)
You don't need to follow this method if you only connect to 1 IKEv2 server, use the [original guide](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md) instead.
## Set up IKEv2 VPN Server
The following example shows how to configure IKEv2 with Libreswan. Any commands below must be run as `root`.
Find the VPN server's public IP, save it to a variable and check.
```bash
PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
printf '%s\n' "$PUBLIC_IP"
```
Make sure the output matches the server's public IP. The `$PUBLIC_IP` variable is required for the next steps.
2024-02-24 00:19:46 +07:00
Create new `ikev2.conf` file in `/etc/ipsec.d/` directory and include them in `/etc/ipsec.conf` :
2023-05-30 06:59:36 +07:00
```bash
cat > /etc/ipsec.d/ikev2.conf <<EOF
conn ikev2-cp
left=%defaultroute
leftcert=$PUBLIC_IP
leftid=@$PUBLIC_IP
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=192.168.43.10-192.168.43.250
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
pfs=no
ike-frag=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
EOF
```
```bash
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
echo >> /etc/ipsec.conf
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
fi
```
> _**NOTICE**: You should [upgrade Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#upgrade-libreswan) to the latest version due to IKEv1 informational exchange packets not integrity checked ([CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155/))._
We need to add a few more lines for IKEv2 connection config on `/etc/ipsec.conf` file related to Libreswan version. First, check your Libreswan version:
```bash
ipsec --version
```
For Libreswan `3.23` and newer, add these following config under IKEv2 connection config in `/etc/ipsec.conf`.
```plain
modecfgdns="8.8.8.8 8.8.4.4"
encapsulation=yes
mobike=no
```
> _**Note**: If your server runs Debian or CentOS/RHEL and you wish to enable MOBIKE support, replace `mobike=no` with `mobike=yes` in the command above. **DO NOT enable this option on Ubuntu systems**._
For Libreswan `3.19`-`3.22`:
```plain
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
encapsulation=yes
```
For Libreswan `3.18` and older:
```plain
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
forceencaps=yes
```
> _You can replace Google Public DNS `8.8.8.8` and `8.8.4.4` with your server provider DNS if you want._
### Generate Certificate Authority (CA) and VPN Server Certificates
2024-02-24 00:19:46 +07:00
- You can specify the certificate validity period (in months) with `-v` argument. e.g., `-v 36`.
- As I mentioned above, To easily manage VPN certificates on multiple server. I've added `SERVERNAME` after `IKEv2 VPN CA` Common Name. Replace `SERVERNAME` with something you can easily remember.
2023-05-30 06:59:36 +07:00
```bash
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "IKEv2 VPN CA SERVERNAME" \
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA SERVERNAME" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t "CT,," -2
```
```plain
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
N
```
**Note**: If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.
```bash
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA SERVERNAME" -n "$PUBLIC_IP" \
-s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth \
--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
```
### Generate Client Certificates
The next step is to generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate.
Run these command to generate client certificate:
> _**Note**: Replace `VPNUSERNAME` with your username. I recommend you to add prefix or suffix related with your server name._
```bash
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "IKEv2 VPN CA SERVERNAME" -n "VPNUSERNAME" \
-s "O=IKEv2 VPN,CN=VPNUSERNAME" \
-k rsa -g 4096 -v 36 \
-d sql:/etc/ipsec.d -t ",," \
--keyUsage digitalSignature,keyEncipherment \
--extKeyUsage serverAuth,clientAuth -8 "VPNUSERNAME"
```
Then export client certificate with to pk12util command below:
```bash
pk12util -o VPNUSERNAME.p12 -n "VPNUSERNAME" -d sql:/etc/ipsec.d
```
```plain
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
```
> _**YOU MUST** enter a secure password to protect the exported `.p12` file because when importing into an iOS or macOS device, this password cannot be empty._
You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `VPNUSERNAME` with `VPNUSERNAME2`, etc.
2024-02-24 00:19:46 +07:00
> _**Note**: To connect multiple VPN clients simultaneously, you must generate a unique certificate for each device._
2023-05-30 06:59:36 +07:00
(For macOS and iOS clients) Export the CA certificate as `vpnca_SERVERNAME.cer`:
```bash
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA SERVERNAME" -a -o vpnca_SERVERNAME.cer
```
2024-02-24 00:19:46 +07:00
To check certificate database, you can run these following commands:
2023-05-30 06:59:36 +07:00
```bash
certutil -L -d sql:/etc/ipsec.d
```
```plain
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IKEv2 VPN CA SERVERNAME CTu,u,u
($PUBLIC_IP) u,u,u
VPNUSERNAME u,u,u
```
To display a certificate, use:
```bash
certutil -L -d sql:/etc/ipsec.d -n "VPNUSERNAME"
```
To delete a certificate, use:
```bash
certutil -D -d sql:/etc/ipsec.d -n "VPNUSERNAME"
```
For other `certutil` usage, read [this page](http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html).
The last step on the server is restart `ipsec` *service* (this is important).
```bash
service ipsec restart
```
The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure VPN clients.
## Configure IKEv2 VPN Clients
**Note**: If you specified the server's DNS name (instead of its IP address) for `$PUBLIC_IP` variable in first step above, you must enter the DNS name in the **Server** and **Remote ID** fields.
2024-02-24 00:19:46 +07:00
### macOS Clients Configuration
2023-05-30 06:59:36 +07:00
Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your Mac, then double-click to import them **one by one** into the **login** keychain in **Keychain Access**.
Next, double-click on the imported `IKEv2 VPN CA SERVERNAME` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu.
2024-02-24 00:19:46 +07:00
![macOS VPN CA](vpn_ca.png#center)
2023-05-30 06:59:36 +07:00
When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under the **Certificates** category of **login** keychain.
- Go to **Network** section in **System Preferences**.
- Click the <kbd>+</kbd> button in the bottom-left corner of the window.
- Select **VPN** from the **Interface** drop-down menu.
- Select **IKEv2** from the **VPN Type** drop-down menu.
- **Service Name**: enter anything you like (usually name of the VPN connection).
- Click **Create**.
- **Server Address**: Your VPN `Server IP` (or DNS name).
- **Remote ID**: Your VPN `Server IP` (or DNS name).
- Leave the **Local ID** field blank.
2024-02-24 00:19:46 +07:00
- Click the **Authentication Settings**… button.
2023-05-30 06:59:36 +07:00
- Select **None** from the **Authentication Settings** drop-down menu.
- Select the **Certificate** radio button, then select the **VPNUSERNAME** certificate.
- Click **OK**.
- Check the **Show VPN status in menu bar** checkbox.
- Click **Apply** to save the VPN connection information.
- Click **Connect**.
### iOS (iPhone/iPad) Clients Configuration
2024-02-24 00:19:46 +07:00
Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your iOS device, then import them **one by one** as **iOS profiles**. To transfer the files, you may use AirDrop or host the files on your website, then download and import them in Safari. When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under **Settings****General** →**Profiles**.
- Go to **Settings****General****VPN**.
- Tap **Add VPN Configuration**….
2023-05-30 06:59:36 +07:00
- Tap **Type**. Select **IKEv2** and go back.
- **Description**: enter anything you like (usually name of the VPN connection).
- **Server**: Your VPN `Server IP`.
- **Remote ID**: Your VPN `Server IP` (or DNS name).
- Leave the **Local ID** field blank.
- Tap **User Authentication**. Select **None** and go back.
- Make sure the **Use Certificate** switch is ON.
- Tap **Certificate**. Select **VPNUSERNAME** and go back.
- Tap **Done**.
- Slide the **VPN** switch ON.
![iPhone IKEv2 VPN](iphone-ikev2.jpg#center)
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
### Other Devices
2024-02-24 00:19:46 +07:00
Since I only use IKEv2 on my Mac and iPhone for work device, I can't post guide for Windows, Linux, and Android here. You can follow the [guide for each OS here](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients).
2023-05-30 06:59:36 +07:00
## Known issues
2024-02-24 00:19:46 +07:00
1. The built-in VPN client on Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
2023-05-30 06:59:36 +07:00
2. If using the strongSwan Android VPN client, you must **upgrade Libreswan** on your server to version `3.26` or above.
3. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`.
4. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more [here](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460430354).
2024-02-24 00:19:46 +07:00
5. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g., home router) is not supported at this time. For this use case, please instead use [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
2023-05-30 06:59:36 +07:00
## Credits
- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).
- Feature Image credit to [portal gda](https://www.flickr.com/photos/135518748@N08/) Flickr.
## Links and Resources
- [https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)
- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md)
- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting)
- [https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2](https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2)
- [https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan)
- [https://libreswan.org/man/ipsec.conf.5.html](https://libreswan.org/man/ipsec.conf.5.html)
- [https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients)
- [https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient](https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient)