Comments on How to Setup IKEv2 VPN Using Strongswan and Let's Encrypt on CentOS 8

Strongswan is an open source multiplatform IPSec implementation. It's an IPSec-based VPN solution that focuses on strong authentication mechanisms. In this tutorial, I will show you how to install an IPSec VPN server using Strongswan. We will create an IKEv2 VPN server with the 'EAP-MSCHAPv2' authentication and be using Letsencrypt certificates on CentOS 8 server.

10 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Jianghan Liu
Reply  

But now if I try to connect to this on macOS Catalina, the system will pop up and say "VPN Connection: An unexpected error occurred."

What should I do?

By: Muhammad Arul
Reply  

Check logs of your connection.

By: Baris
Reply  

Hello,How can i config for ipv6?

By: Leszek
Reply  

Hi,

 

I can't get thru the part certbot-auto command. It forces me to verify my server with HTTP challenge:

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for secure.taczkowski.net

Waiting for verification...

Challenge failed for domain secure.taczkowski.net

http-01 challenge for secure.domain.com

Cleaning up challenges

Some challenges have failed.

 

I obviously don't have a webserver as i only want to run StrongSwan.

I can probably redirect ports 443 and 80 to make it think i do have a webserver, but i prefer to do it clean - without having to trick anybody.

By: Dood
Reply  

You just need to open ports 80 and 443 to respond tot he Certbot. Close them up afterwards.

By: Martyn
Reply  

Great tutorial. Most of it worked for me. The only think is that I couldn't get the Mac to connect, until I removed these lines and restartes Strongswan:

ike=aes256gcm16-prfsha512-ecp384!esp=aes256gcm16-ecp384!

When setting up the connection, don't forget to set "Remote ID" to whatever you put in:

[email protected]

So set "Remote ID" to "@vpn.linuxcreatures.com" in this case.

 

The other thing that I read in one of the comments is about port 80 and 443. You are not going to use these if you only use the VPN, but they need to be opened for cerbot-auto to get and renew the certificate.

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q --pre-hook 'systemctl stop strongswan' --post-hook 'systemctl start strongswan'" | sudo tee -a /etc/crontab > /dev/null

 

 

By: Alex
Reply  

I used to be able t connect from windows 10 VPN settings. Now it just doesn't work, telling me server is unreachable. However I am able to connect from my phone fine . Any ideas?

By: Martyn
Reply  

Today the VPN wouldn't start after a reboot. I had to manually start it from the command line:

# strongswan start

 

At some point I figured out that an update changed something.

To get Strongswan to start at boot I fixed it like this:

 

# systemctl disable strongswan

# systemctl enable strongswan-starter

 

To restart, for example after a config change, I use:

# strongswan restart

By: scooserver
Reply  

 Working flawlessly !Gerat tutorial (tested on windows and mac as client)

Can anyone help me out how can i setup under ubuntu command line ?

By: Scoo
Reply  

Great tutorial thank you!!It works like a charm on mac,windows and android. Can anyone helpp me out how to configure on ubuntu command line??

i got this error when i try to connect parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] (the user/pass is correct!)