Introduction
Strongswan as well as other paid versions of IKEv2 VPN (e.g. Cisco ASA) allow creating remote access VPNs with IKEv2. The Main advantage of IKEv2 is it doesn’t need a dedicated client, and it is pre-installed on most common platforms (e.g. iPhone, Windows, Mac etc.). Other benefits are that IKEv2 is much faster to set up a connection (only 3 messages oppose to 6 in IKEv1), native NAT-T support and IKEv2 MOBIKE (it detects roaming IP changes without re-building new SAs’)
ipsec.conf
We will use EAP as authentication, specify to use our cert (standalone cert created with Let’s encrypt) and use 10.45.1.0/24 as a VPN pool for clients.
conn dial-in auto=add compress=no type=tunnel keyexchange=ikev2 ike=aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@centos.kuligowski.co.uk leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.45.1.0/24 rightdns=1.1.1.1,1.1.1.3 rightsendcert=never eap_identity=%identity
ipsec.secrets
All individual usernames along with passwords will go into /etc/strongswa/ipsec.secrets file.
: RSA "privkey.pem"
pawel : EAP "password123"
iptables
We need to allow traffic flowing through are server to the Internet + SNAT it accordingly
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.45.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.15.1.0/24 -j SNAT --to-source 51.75.162.65
Debugging
[root@centos /]# strongswan statusall dial-in [root@centos /]# tail -f /var/log/messages | grep charon