Adding old content "IPsec VPN series"

content/archives/2019/07/_index.id.md

@@ -0,0 +1,3 @@
+---
+title: Jul
+---

content/archives/2019/07/_index.md

@@ -0,0 +1,3 @@
+---
+title: Jul 
+---

content/tutorials/configure-ipsec-l2tp-vpn-clients/index.md

@@ -0,0 +1,135 @@
+---
+title: "Configure IPsec/L2TP VPN Clients"
+description: "This is the next part after you successfully set up your own IPsec VPN server. Following these steps allow you to configure your Android, iOS, MacOS, and Linux machine using IPsec/L2TP VPN."
+# linkTitle:
+date: 2019-07-01T03:44:00+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - IPsec VPN
+categories:
+  - Networking
+  - SysAdmin
+tags:
+  - VPN
+  - IPsec
+  - L2TP
+  - MacOS
+  - iPhone
+  - Android
+  - Linux
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+This is the next part after you successfully [set up your own IPsec VPN server]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md">}}). Following these steps allow you to configure your **Android**, **iOS**, **MacOS**, and **Linux** machine using **IPsec/L2TP** VPN.
+
+**IPsec/L2TP** is natively supported by Android, iOS, OS X, and Windows, so there is no additional software to install for them. Setup should only take a few minutes. For Linux users, additional [L2TP network manager](https://github.com/nm-l2tp/NetworkManager-l2tp?ref=rtd.ditatompel.com) package needs to be installed.
+
+<!--more-->
+
+> **Note**:
+> * You may also connect using the faster [IPsec/XAuth mode]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md" >}}), or [set up IKEv2]({{< ref "/tutorials/set-up-ikev2-vpn-server-and-clients/index.md" >}}).
+> * To avoid connection issues when connecting multiple devices simultaneously from behind the same NAT (e.g. home router), use [IPsec/XAuth mode]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md" >}}).
+
+## MacOS Clients Configuration
+- Go to **Network** section in **System Preferences**.
+- Click the <kbd>+</kbd> button in the bottom-left corner of the window.
+- Select **VPN** from the **Interface** drop-down menu.
+- Select **L2TP over IPSec** from the **VPN Type** drop-down menu.
+- S**ervice Name**: enter anything you like (usually name of the VPN connection).
+- Click **Create**.
+- **Server Address**: Your VPN `Server IP`.
+- **Account Name**: Your VPN `Username`.
+- **Show VPN status in menu bar** checked.
+- Click the **Authentication Settings** button.
+- In the **User Authentication** section, select the **Password** radio button and enter Your VPN `Password`.
+- In the **Machine Authentication** section, select the **Shared Secret** radio button and enter Your VPN `IPsec PSK`.
+![L2TP MacOS setting 1](l2tp-mac-auth-2.png#center)
+- (**Important**) Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked.
+![L2TP MacOS setting 2](l2tp-mac-all-con.png#center)
+- Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section.
+- Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information.
+
+To connect to the VPN: Use the menu bar icon, or go to the **Network** section of **System Preferences**, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## iOS (iPhone/iPad) Clients Configuration
+- Go to **Settings** -> **General** -> **VPN**.
+- Tap **Add VPN Configuration**....
+- Tap **Type**. Select **L2TP** and go back.
+- Description: enter anything you like (usually name of the VPN connection).
+- **Server**: Your VPN `Server IP`.
+- **Account**: Your VPN `Username`.
+- **Password**: Your VPN `Password`.
+- **Secret**: Your VPN `IPsec PSK`.
+- Make sure the **Send All Traffic** switch is **ON**.
+- Tap **Done** and slide **VPN** switch **ON**.
+![L2TP iPhone setting](l2tp-iphone.jpg#center)
+
+Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## Android Clients Configuration
+- Go to **Settings** > **Wireless & Networks** > **VPN**.
+- **Add VPN Profile** by tapping the <kbd>+</kbd> icon at top-right of screen.
+- **Name**: enter anything you like (usually name of the VPN connection).
+- **Type**: Choose **L2TP/IPSec PSK**.
+- **Server address**: Your VPN `Server IP`.
+- Leave **L2TP secret** & **IPSec identifier** field blank.
+- I**PSec pre-shared key**: Your VPN `IPsec PSK`.
+- Tap **Save**.
+- Tap the new VPN connection.
+- **Username**: Your VPN `Username`.
+- **Password**: Your VPN `Password`.
+- Check the **Save account information** checkbox.
+- Tap **Connect**.
+![L2TP Android setting](l2tp-android.jpg#center)
+
+Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## Linux Clients Configuration
+First check [here](https://github.com/nm-l2tp/network-manager-l2tp/wiki/Prebuilt-Packages) to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (Use **strongSwan**). After packages installation done, add your VPN connection.
+
+- Go to **Settings** -> **Network** -> **VPN**. Click the <kbd>+</kbd> button.
+- Select **Layer 2 Tunneling Protocol (L2TP)**.
+- **Name**: enter anything you like (usually name of the VPN connection).
+- **Gateway**: Your VPN `Server IP`.
+- **User name**: Your VPN `Username`.
+- **Password**: Your VPN `Password` (click the <kbd>?</kbd> in the password field, select **Store the password only for this user**)
+- Leave the **NT Domain** field blank.
+- Click the **IPsec Settings**... button.
+![L2TP Linux 1](l2tp-linux-1.png#center)
+- **Enable IPsec tunnel to L2TP host**: **checked**.
+- Leave the **Gateway ID** field blank.
+- **Pre-shared key**: Your VPN `IPsec PSK`.
+- Expand the **Advanced** section.
+- Enter `aes128-sha1-modp2048!` for the **Phase1 Algorithms** and **Phase2 Algorithms**.
+![L2TP Linux 2](l2tp-linux-2.png#center)
+
+For **Fedora** > `28` and **CentOS 7** users can connect using the faster [IPsec/XAuth mode]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md" >}}). Alternatively, you may [configure Linux VPN L2TP clients using the command line](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#configure-linux-vpn-clients-using-the-command-line).
+
+## Windows Clients Configuration
+Since I don't have any Windows machine, you can follow [source documentation](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows) by Lin Song.
+
+## Credits
+- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).
+- Feature Image credit to [Richard Patterson](http://www.comparitech.com/).
+
+## Links and Resources
+* [https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)
+* [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting)

content/tutorials/configure-ipsec-xauth-vpn-clients/index.md

@@ -0,0 +1,134 @@
+---
+title: "Configure IPsec/XAuth VPN Clients"
+description: "Following these steps allow you to configure your Android, iOS, MacOS, and Linux machine using IPsec/XAuth (Cisco IPsec) VPN."
+# linkTitle:
+date: 2019-07-01T03:50:10+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - IPsec VPN
+categories:
+  - Networking
+  - SysAdmin
+tags:
+  - VPN
+  - IPsec
+  - XAuth
+  - MacOS
+  - iPhone
+  - Android
+  - Linux
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+**IPsec/XAuth** mode is also called **"Cisco IPsec"**. This mode is generally **faster than IPsec/L2TP** with less overhead. **IPsec/XAuth** ("**Cisco IPsec**") is natively supported by **Android**, **iOS**, and **MacOS**. There is no additional software to install for them.
+
+<!--more-->
+
+> _**NOTICE**: You should [upgrade Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#upgrade-libreswan) to the latest version due to **IKEv1** informational exchange packets not integrity checked ([CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155))._
+
+As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully [set up your own IPsec VPN server]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md">}}). Following these steps allow you to configure your Android, iOS, MacOS, and Linux machine using **IPsec/XAuth** ("**Cisco IPsec**").
+
+## MacOS Clients Configuration
+- Go to **Network** section in **System Preferences**.
+- Click the <kbd>+</kbd> button in the bottom-left corner of the window.
+- Select **VPN** from the **Interface** drop-down menu.
+- Select **Cisco IPSec** from the **VPN Type** drop-down menu.
+![MacOS XAuth Config](xauth-mac-conf.png#center)
+- **Service Name**: enter anything you like (usually name of the VPN connection).
+- Click **Create**.
+- **Server Address**: Your VPN `Server IP`.
+- **Account Name**: Your VPN `Username`.
+- **Password**: Your VPN `Password`.
+- Click the **Authentication Settings** button.
+- In the **Machine Authentication** section, select the **Shared Secret** radio button and enter Your VPN `IPsec PSK`.
+- Leave the **Group Name** field blank.
+- Click **OK**.
+- **Show VPN status in menu bar** checked.
+- Click **Apply** to save the VPN connection information.
+
+To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## iOS (iPhone/iPad) Clients Configuration
+- Go to **Settings** -> **General** -> **VPN**.
+- Tap **Add VPN Configuration**....
+- Tap **Type**. Select **IPSec** and go back.
+- **Description**: enter anything you like (usually name of the VPN connection).
+- **Server**: Your VPN `Server IP`.
+- **Account**: Your VPN `Username`.
+- **Password**: Your VPN `Password`.
+- Leave the **Group Name** field blank.
+- **Secret**: Your VPN `IPsec PSK`.
+- Tap **Done** and slide **VPN** switch **ON**.
+![iPhone XAuth config](xauth-iphone.jpg#center)
+
+Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## Android Clients Configuration
+- Go to **Settings** > **Wireless & Networks** > **VPN**.
+- **Add VPN Profile** by tapping the <kbd>+</kbd> icon at top-right of screen.
+- **Name**: enter anything you like (usually name of the VPN connection).
+- **Type**: Choose **IPSec Xauth PSK**.
+- **Server address**: Your VPN `Server IP`.
+- Leave the **IPSec identifier** field blank.
+- **IPSec pre-shared key**: Your VPN `IPsec PSK`.
+- Tap **Save**.
+- Tap the new VPN connection.
+- **Username**: Your VPN `Username`.
+- **Password**: Your VPN `Password`.
+- Check the **Save account information** checkbox.
+- Tap **Connect**.
+![Android XAuth config](xauth-android.jpg#center)
+
+Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+## Linux Clients Configuration
+### Fedora and CentOS
+**Fedora** > `28` and **CentOS 7** users can install the [NetworkManager-libreswan-gnome](https://apps.fedoraproject.org/packages/s/libreswan) package, then configure the IPsec/XAuth VPN client using the GUI.
+
+- Go to **Settings** -> **Network** -> **VPN**. Click the <kbd>+</kbd> button.
+- Select **IPsec based VPN**.
+- **Name**: enter anything you like (usually name of the VPN connection).
+- **Gateway**: Your VPN `Server IP`.
+- **Type**: Select **IKEv1 (XAUTH)**.
+- **User name**: Your VPN `Username`.
+- **Password**: Your VPN `Password` (click the <kbd>?</kbd> in the password field, select **Store the password only for this user**)
+- Leave the **Group name** field blank.
+- **Secret**: Your VPN `IPsec PSK` (click the <kbd>?</kbd> in the password field, select **Store the password only for this user**)
+- Leave the **Remote ID** field blank.
+- Click **Add** to save the VPN connection information.
+- Turn the **VPN** switch ON.
+
+Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+### Other Linux
+Other Linux users can connect using [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) mode.
+
+## Windows Clients Configuration
+Since I don't have any **Windows** machine, you can follow [source documentation](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows) by Lin Song.
+
+## Credits
+- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).
+- Feature image credit to [Tyler Franta](https://unsplash.com/@tfrants) on **Unsplash**.
+
+## Links and Resources
+- [https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting)

content/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md

@@ -0,0 +1,133 @@
+---
+title: "IPsec (L2TP, XAuth, IKEv2) VPN Server Auto Setup"
+description: "A few years ago, I've found this gem which allow us to set up our own IPsec VPN server with L2TP, XAuth and IKEv2 on Ubuntu, Debian, RHEL, and CentOS."
+# linkTitle:
+date: 2019-07-01T03:06:07+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - IPsec VPN
+categories:
+  - Networking
+  - SysAdmin
+tags:
+  - VPN
+  - IPsec
+  - L2TP
+  - XAuth
+  - IKEv2
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+A few years ago, I've found [this gem](https://gist.github.com/hwdsl2/e9a78a50e300d12ae195) which allow us to [set up our own IPsec VPN server](https://github.com/hwdsl2/setup-ipsec-vpn) with **L2TP**, **XAuth** and **IKEv2** on **Ubuntu**, **Debian** and **CentOS** distro.
+
+<!--more-->
+
+> _**Note**: This is my personal snippets, if you need a complete documentation, please go to [hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn) GitHub repository, it's really well documented! A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) of the VPN server is also available, go and get it._
+
+> _**NOTICE**: You should [upgrade Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md) to the latest version due to IKEv1 informational exchange packets not integrity checked ([CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155/))._
+
+## Intro
+Since **PPTP** VPN no longer supported by Apple's built-in VPN client on **macOS Sierra** and **iOS 10** due to many [well-known security issues](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol), I have to use other VPN communications protocols to access my internal company networks. And here [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors) with their bash scripts become an Angel. All I need to do is download and execute the *bash script* on my servers, and let the script configure the rest **IPsec** VPN server setup.
+
+In short: this script download, compile and configure [Libreswan](https://libreswan.org/) as the **IPsec** server, and [**xl2tpd**](https://github.com/xelerance/xl2tpd) as the **L2TP** provider. This script also writes changes to `sysctl.conf` to improve performance, mask `firewalld` (on **CentOS**), updating `iptables` *firewall* and configure simple **Fail2Ban** rules on `sshd` *daemon*.
+
+> _**NOTE**: **This script are mean to be executed on server(s)**. **DO NOT** run auto install scripts on your personal PC or Mac!_
+
+## Requirements
+A dedicated server or Virtual Private Server (VPS) with one of these OSes:
+- **Ubuntu** `16.04` (**Xenial**) / `18.04` (**Bionic**)
+- **Debian** `8` (**Jessie**) / `9` (**Stretch**)
+- **CentOS** `6`/`7` (`x86_64`)
+- **Red Hat Enterprise Linux** (**RHEL**) `6`/`7`
+- Open **UDP** ports `500` and `4500` (if your machine is running behind external firewall)
+
+> _**Note**: **OpenVZ VPS** is not supported._
+
+## Installation
+First (this is not necessary but recommended), make sure system is up to date with `apt-get update && apt-get dist-upgrade` for **Debian** and **Ubuntu** or `yum update` for **RHEL** and **CentOS**.
+
+To install the VPN we have 3 options described [here](https://github.com/hwdsl2/setup-ipsec-vpn): I'd love to use the **first option** with 1 line command to configure and generate random VPN credentials (will be displayed when finished) because I love to manage VPN users and **PSK** manually latter. So :
+For **Debian** and **Ubuntu**:
+```bash
+wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
+```
+For **RHEL** and **CentOS**:
+```bash
+wget https://git.io/vpnsetup-centos -O vpnsetup.sh && sudo sh vpnsetup.sh
+```
+After installation script done, VPN login details will be randomly generated, and displayed on the screen.
+
+## Default Configurations
+VPN **DNS Client** is set to use [Google Public DNS](https://developers.google.com/speed/public-dns/). You can replace with your server provider DNS if you want by editing `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then *reboot* the server.
+
+When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN *subnet* `192.168.42.0/24`.
+
+The same VPN account can be used by multiple devices. However, to avoid connection issues when connecting multiple devices simultaneously from behind the same **NAT** (e.g. home router), use **IPsec/XAuth mode**.
+
+To modify the iptables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (**Ubuntu**/**Debian**), or `/etc/sysconfig/iptables` (**CentOS**/**RHEL**). Then reboot your server.
+
+## Manage VPN Users and PSK
+You can use [this helper scripts](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/manage-users.md#using-helper-scripts) to make it easier to manage VPN users. But I love to manage my VPN users manually. Content below describe how to manage **IPsec/L2TP** and **IPsec/XAuth** manually.
+
+The **IPsec PSK** (*pre-shared key*) is stored in `/etc/ipsec.secrets`. All VPN users will share the same IPsec PSK. If PSK changed, `ipsec` and `xl2tpd` *service* need to be restarted.
+
+### IPsec/L2TP Users
+For `IPsec/L2TP`, VPN users are stored in `/etc/ppp/chap-secrets`. The format of this file is:
+```plain
+"username1"  l2tpd  "password1"  *
+"username2"  l2tpd  "password2"  *
+... ...
+```
+You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '`.
+
+### IPsec/XAuth Users
+For `IPsec/XAuth` ("**Cisco IPsec**"), VPN users are stored in `/etc/ipsec.d/passwd`. The format of this file is:
+```plain
+username1:password1hashed:xauth-psk
+username2:password2hashed:xauth-psk
+... ...
+```
+Passwords in this file are *salted* and *hashed*. You need to use `openssl` command to generate IPsec/XAuth user password:
+```bash
+openssl passwd -1 'your_password'
+```
+As I mentioned before, you must restart services if changing the PSK. For add/edit/remove VPN users, this is normally not required.
+```bash
+service ipsec restart
+service xl2tpd restart
+```
+
+## Next Steps
+Get your computer and devices to use the VPN service:
+- [Configure IPsec/L2TP VPN Clients]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}})
+- [Configure IPsec/XAuth "Cisco IPsec" VPN Clients]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}})
+- [Set Up IKEv2 VPN Server and Clients]({{< ref "/tutorials/set-up-ikev2-vpn-server-and-clients/index.md" >}}) (Advanced)
+
+## Credits
+- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).
+- Feature Image credit to [Mike MacKenzie](https://www.vpnsrus.com/).
+
+## Links and Resources
+- [https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)
+- [https://gist.github.com/hwdsl2/9030462#comments](https://gist.github.com/hwdsl2/9030462#comments)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting)
+- [https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#known-issues](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#known-issues)

content/tutorials/set-up-ikev2-vpn-server-and-clients/index.md

@@ -0,0 +1,322 @@
+---
+title: "Set Up IKEv2 VPN Server and Clients"
+description: "IKEv2 contains improvements such as Standard Mobility support. This is my personal snippet to set up IKEv2 VPN server & clients for multiple servers."
+# linkTitle:
+date: 2019-07-01T03:50:32+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - IPsec VPN
+categories:
+  - Networking
+  - SysAdmin
+tags:
+  - VPN
+  - IPsec
+  - IKEv2
+  - MacOS
+  - iPhone
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully [set up your own IPsec VPN server]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md">}}), and [upgraded Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#upgrade-libreswan) to the latest version due to [CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155/). This for **advanced users** only. Other users please use [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
+
+<!--more-->
+
+## Intro
+Modern operating systems support the IKEv2 standard. [Internet Key Exchange](https://en.wikipedia.org/wiki/Internet_Key_Exchange) (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains [improvements](https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2) such as Standard Mobility support through [MOBIKE](https://tools.ietf.org/html/rfc4555) and improved reliability.
+
+Libreswan can authenticate IKEv2 clients on the basis of [X.509](https://en.wikipedia.org/wiki/X.509) Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
+- OS X (macOS)
+- iOS (iPhone/iPad)
+- Android 4.x and newer (using the strongSwan VPN client)
+- Windows 7, 8.x and 10
+
+Because IKEv2 use key exchange and you need to import Server and Client Certificate on your machine. It will be a problem in the future to manage/revoke the imported certificate if you have multiple IKEv2 VPN servers with same root CA Common Name and client certificate username.
+
+This is my personal snippet to set up IKEv2 VPN server & clients for multiple servers. Basically I only add (let say) server name or node name after root CA Common Name and client certificate username.
+
+![Apple Key Chain](apple-keychain-access.png#center)
+
+You don't need to follow this method if you only connect to 1 IKEv2 server, use the [original guide](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md) instead.
+
+## Set up IKEv2 VPN Server
+The following example shows how to configure IKEv2 with Libreswan. Any commands below must be run as `root`.
+
+Find the VPN server's public IP, save it to a variable and check.
+
+```bash
+PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
+[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
+printf '%s\n' "$PUBLIC_IP"
+```
+
+Make sure the output matches the server's public IP. The `$PUBLIC_IP` variable is required for the next steps.
+
+Create new `ikev2.conf` file in `/etc/ipsec.d/` directory and include them in  `/etc/ipsec.conf` :
+```bash
+cat > /etc/ipsec.d/ikev2.conf <<EOF
+
+conn ikev2-cp
+  left=%defaultroute
+  leftcert=$PUBLIC_IP
+  leftid=@$PUBLIC_IP
+  leftsendcert=always
+  leftsubnet=0.0.0.0/0
+  leftrsasigkey=%cert
+  right=%any
+  rightid=%fromcert
+  rightaddresspool=192.168.43.10-192.168.43.250
+  rightca=%same
+  rightrsasigkey=%cert
+  narrowing=yes
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=clear
+  auto=add
+  ikev2=insist
+  rekey=no
+  pfs=no
+  ike-frag=yes
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+EOF
+```
+
+```bash
+if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
+  echo >> /etc/ipsec.conf
+  echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
+fi
+```
+
+> _**NOTICE**: You should [upgrade Libreswan](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#upgrade-libreswan) to the latest version due to IKEv1 informational exchange packets not integrity checked ([CVE-2019-10155](https://libreswan.org/security/CVE-2019-10155/))._
+
+We need to add a few more lines for IKEv2 connection config on `/etc/ipsec.conf` file related to Libreswan version. First, check your Libreswan version:
+
+```bash
+ipsec --version
+```
+For Libreswan `3.23` and newer, add these following config under IKEv2 connection config in `/etc/ipsec.conf`.
+
+```plain
+  modecfgdns="8.8.8.8 8.8.4.4"
+  encapsulation=yes
+  mobike=no
+```
+
+> _**Note**: If your server runs Debian or CentOS/RHEL and you wish to enable MOBIKE support, replace `mobike=no` with `mobike=yes` in the command above. **DO NOT enable this option on Ubuntu systems**._
+
+For Libreswan `3.19`-`3.22`:
+```plain
+  modecfgdns1=8.8.8.8
+  modecfgdns2=8.8.4.4
+  encapsulation=yes
+```
+For Libreswan `3.18` and older:
+```plain
+  modecfgdns1=8.8.8.8
+  modecfgdns2=8.8.4.4
+  forceencaps=yes
+```
+
+> _You can replace Google Public DNS `8.8.8.8` and `8.8.4.4` with your server provider DNS if you want._
+
+### Generate Certificate Authority (CA) and VPN Server Certificates
+- You can specify the certificate validity period (in months) with `-v` argument. e.g. `-v 36`.
+- As i mentioned above, To easily manage VPN certificates on multiple server. I've add `SERVERNAME` after `IKEv2 VPN CA` Common Name. Replace `SERVERNAME` with something you can easily remember.
+
+```bash
+certutil -z <(head -c 1024 /dev/urandom) \
+  -S -x -n "IKEv2 VPN CA SERVERNAME" \
+  -s "O=IKEv2 VPN,CN=IKEv2 VPN CA SERVERNAME" \
+  -k rsa -g 4096 -v 36 \
+  -d sql:/etc/ipsec.d -t "CT,," -2
+```
+
+```plain
+Generating key.  This may take a few moments...
+
+Is this a CA certificate [y/N]?
+y
+Enter the path length constraint, enter to skip [<0 for unlimited path]: >
+Is this a critical extension [y/N]?
+N
+```
+
+**Note**: If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.
+
+```bash
+certutil -z <(head -c 1024 /dev/urandom) \
+  -S -c "IKEv2 VPN CA SERVERNAME" -n "$PUBLIC_IP" \
+  -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \
+  -k rsa -g 4096 -v 36 \
+  -d sql:/etc/ipsec.d -t ",," \
+  --keyUsage digitalSignature,keyEncipherment \
+  --extKeyUsage serverAuth \
+  --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"
+```
+
+### Generate Client Certificates
+The next step is to generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate.
+
+Run these command to generate client certificate:
+
+> _**Note**: Replace `VPNUSERNAME` with your username. I recommend you to add prefix or suffix related with your server name._
+
+```bash
+certutil -z <(head -c 1024 /dev/urandom) \
+  -S -c "IKEv2 VPN CA SERVERNAME" -n "VPNUSERNAME" \
+  -s "O=IKEv2 VPN,CN=VPNUSERNAME" \
+  -k rsa -g 4096 -v 36 \
+  -d sql:/etc/ipsec.d -t ",," \
+  --keyUsage digitalSignature,keyEncipherment \
+  --extKeyUsage serverAuth,clientAuth -8 "VPNUSERNAME"
+```
+
+Then export client certificate with to pk12util command below:
+
+```bash
+pk12util -o VPNUSERNAME.p12 -n "VPNUSERNAME" -d sql:/etc/ipsec.d
+```
+
+```plain
+Enter password for PKCS12 file:
+Re-enter password:
+pk12util: PKCS12 EXPORT SUCCESSFUL
+```
+
+> _**YOU MUST** enter a secure password to protect the exported `.p12` file because when importing into an iOS or macOS device, this password cannot be empty._
+
+You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `VPNUSERNAME` with `VPNUSERNAME2`, etc.
+
+> _**Note**: To connect multiple VPN clients simultaneously, you must generate a unique certificate for each devices._
+
+(For macOS and iOS clients) Export the CA certificate as `vpnca_SERVERNAME.cer`:
+
+```bash
+certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA SERVERNAME" -a -o vpnca_SERVERNAME.cer
+```
+
+To check certificate database, you can run these following command:
+
+```bash
+certutil -L -d sql:/etc/ipsec.d
+```
+
+```plain
+Certificate Nickname                               Trust Attributes
+                                                   SSL,S/MIME,JAR/XPI
+
+IKEv2 VPN CA SERVERNAME                            CTu,u,u
+($PUBLIC_IP)                                       u,u,u
+VPNUSERNAME                                        u,u,u
+```
+
+To display a certificate, use:
+```bash
+certutil -L -d sql:/etc/ipsec.d -n "VPNUSERNAME"
+```
+
+To delete a certificate, use:
+```bash
+certutil -D -d sql:/etc/ipsec.d -n "VPNUSERNAME"
+```
+For other `certutil` usage, read [this page](http://manpages.ubuntu.com/manpages/xenial/en/man1/certutil.1.html).
+
+The last step on the server is restart `ipsec` *service* (this is important).
+
+```bash
+service ipsec restart
+```
+
+The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure VPN clients.
+
+## Configure IKEv2 VPN Clients
+
+**Note**: If you specified the server's DNS name (instead of its IP address) for `$PUBLIC_IP` variable in first step above, you must enter the DNS name in the **Server** and **Remote ID** fields.
+
+### MacOS Clients Configuration
+
+Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your Mac, then double-click to import them **one by one** into the **login** keychain in **Keychain Access**.
+
+Next, double-click on the imported `IKEv2 VPN CA SERVERNAME` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu.
+
+![MacOS VPN CA](vpn_ca.png#center)
+
+When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under the **Certificates** category of **login** keychain.
+- Go to **Network** section in **System Preferences**.
+- Click the <kbd>+</kbd> button in the bottom-left corner of the window.
+- Select **VPN** from the **Interface** drop-down menu.
+- Select **IKEv2** from the **VPN Type** drop-down menu.
+- **Service Name**: enter anything you like (usually name of the VPN connection).
+- Click **Create**.
+- **Server Address**: Your VPN `Server IP` (or DNS name).
+- **Remote ID**: Your VPN `Server IP` (or DNS name).
+- Leave the **Local ID** field blank.
+- Click the **Authentication Settings**... button.
+- Select **None** from the **Authentication Settings** drop-down menu.
+- Select the **Certificate** radio button, then select the **VPNUSERNAME** certificate.
+- Click **OK**.
+- Check the **Show VPN status in menu bar** checkbox.
+- Click **Apply** to save the VPN connection information.
+- Click **Connect**.
+
+### iOS (iPhone/iPad) Clients Configuration
+Transfer both `vpnca_SERVERNAME.cer` and `VPNUSERNAME.p12` to your iOS device, then import them **one by one** as **iOS profiles**. To transfer the files, you may use AirDrop or host the files on your website, then download and import them in Safari. When finished, check to make sure both `VPNUSERNAME` and `IKEv2 VPN CA SERVERNAME` are listed under **Settings** -> **General** -> **Profiles**.
+- Go to **Settings** -> **General** -> **VPN**.
+- Tap **Add VPN Configuration**....
+- Tap **Type**. Select **IKEv2** and go back.
+- **Description**: enter anything you like (usually name of the VPN connection).
+- **Server**: Your VPN `Server IP`.
+- **Remote ID**: Your VPN `Server IP` (or DNS name).
+- Leave the **Local ID** field blank.
+- Tap **User Authentication**. Select **None** and go back.
+- Make sure the **Use Certificate** switch is ON.
+- Tap **Certificate**. Select **VPNUSERNAME** and go back.
+- Tap **Done**.
+- Slide the **VPN** switch ON.
+![iPhone IKEv2 VPN](iphone-ikev2.jpg#center)
+
+Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo](https://duckduckgo.com/?q=ip&ia=answer).
+
+### Other Devices
+Since I only use IKEv2 on my Mac and iPhone for work device, I can't post guide for Windows, Linux and Android here. You can follow the [guide for each OSes here](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#configure-ikev2-vpn-clients).
+
+## Known issues
+1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the [IPsec/L2TP]({{< ref "/tutorials/configure-ipsec-l2tp-vpn-clients/index.md" >}}) or [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
+2. If using the strongSwan Android VPN client, you must **upgrade Libreswan** on your server to version `3.26` or above.
+3. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`.
+4. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more [here](https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460430354).
+5. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use [IPsec/XAuth]({{< ref "/tutorials/configure-ipsec-xauth-vpn-clients/index.md" >}}) mode.
+
+## Credits
+- All articles credits belongs to [Lin Song](https://www.linkedin.com/in/linsongui/) and [contributors](https://github.com/hwdsl2/setup-ipsec-vpn/graphs/contributors).
+- Feature Image credit to [portal gda](https://www.flickr.com/photos/135518748@N08/) Flickr.
+
+## Links and Resources
+- [https://github.com/hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md)
+- [https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting)
+- [https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2](https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2)
+- [https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan)
+- [https://libreswan.org/man/ipsec.conf.5.html](https://libreswan.org/man/ipsec.conf.5.html)
+- [https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients](https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients)
+- [https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient](https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient)