Comments on How to Setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7

Strongswan is an open source multiplatform IPSec implementation. It's an IPSec-based VPN solution that focuses on strong authentication mechanisms. In this tutorial, I will show you how to install an IPSec VPN server using Strongswan. We will create an IKEv2 VPN server with the 'EAP-MSCHAPv2' authentication and be using Letsencrypt certificates on CentOS 7 server.

15 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: thctlo
Reply  

Hai, a nice howto, but i suggest you change the copy of : 

cp /etc/letsencrypt/live/ikev2.hakase-labs.io/fullchain.pem /etc/strongswan/ipsec.d/certs/ 

to symlink it. and add a hook to strongswan that when letsencrypt updates the certificate, then restart/reload strongswan. 

 

By: Vadim Kononov
Reply  

Thanks for a wonderful tutorial! I was able to set up my VPN, and it works perfectly. However, every time I reboot my machine, the VPN gets blocked by the firewall, and once I run "firewall-cmd --reload", then everything works correctly again (I don't have to re-add the firewall rules - only reload it). Do you know why that would be? Have you experienced a similar problem?

By: Sahibzada Fahad
Reply  

Hi, thank you for wonderful tutorial, can you please guide how we connect mysql database with strongswan ?

By: Arjan
Reply  

Hello,

Not a stupid question I think and hope :) But can I and how do I use vdvelde-it.nl instead of ikev2.hakase-labs.io?

Thanks in advance,

With kind regards,

Arjan

 

By: till
Reply  

Th domain ikev2.hakase-labs.io is just used for this example setup and should be replaced with your own domain name. Replace ikev2.hakase-labs.io with your own domain name vdvelde-it.nl wherever it occurs in commands and paths in this tutorial.

By: Pierre Robben
Reply  

Thanks. You saved my time and my life.

This work fine

By: Eddie
Reply  

Would be nice to implement strongMan management interface for strongSwan.

https://github.com/strongswan/strongMan

By: marian
Reply  

As a renewal cron job, I have used this :

cat /etc/crontab

0 2 * * 2  root /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renewal.log && service strongswan restart

 

Great tutorial. Good Job .

By: fransis
Reply  

hello

i got error on Strongswan( android ) while connect.

this is my log

giving up after 3 retransmitsestablishing IKE_SA failed, peer not respondingunable to terminate IKE_SA: ID 8 not found

 

anybody knows how to solve it?

 

By: Anton
Reply  

This does not work when connecting from Mobile phone using T-Mobile which only provides ipv6 address

The client succesfully connects but no internet connectivity.

How to fix?

 

By: Marcos
Reply  

with this tutorial, i can get strongswan up n running for a while now, but encountered an issue now.

the log said "subject certificate invalid" and "no trusted RSA Public key found"

i looked it up on strongswan forum it said the client and the server might not sync time, but checked it should be sync, i think the certificates are expired, is there any reference to update this?

By: Alireza
Reply  

Thank your for this tutorial,

but how can I run IKEV server just by ip without domain?

 

By: Rizwan Saleem
Reply  

This Turtorial will no longer work after strongswan releasing the new version how ever i have setup strongswan 8.4 if anybody need help to configure just send me email i would love to help other [email protected]

By: fachvv
Reply  

This no longer works with the latest strongswan. It doesn't simply support a chain pem file. You have to trust the full chain on the client, which leaves no benefit of using letsencrypt https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#X509-Certificate-chain-files

By: Eugene van der Merwe
Reply  

As per comment left by @ fachvv

It appears this tutorial doesn't work anymore.