How to Setup IKEv2 IPSec VPN Using strongSwan and Let's Encrypt on Rocky Linux 9

If you are looking for a client-to-site VPN solution, then you might prefer an IKEv2 EAP solution over OpenVPN or Wireguard. Such a solution is extremely helpful if you are constantly on the move and require a VPN solution you can connect to easily without downloading a client or needing a key. strongSwan is an open-source cross-platform IPSec-based VPN that can prove useful in such a case. It can provide authentication based on X.509 certificates or the secure IKEv2 EAP user authentication.

In this tutorial, you will learn how to set up an IKEv2 IPSec VPN using strongSwan using EAP-MSCHAPv2 authentication along with Let's Encrypt SSL certificates on a Rocky Linux 9 server. You will also learn how to connect to the VPN using Windows, macOS, Linux, and Android clients.


  • A server running Rocky Linux 9. Depending on the number of users connecting to it, you must upgrade the server specifications.

  • A non-root user with sudo privileges.

  • A fully qualified domain name (FQDN) like

  • Make sure everything is updated.

    $ sudo dnf update
  • Few packages that your system needs.

    $ sudo dnf install wget curl nano unzip yum-utils -y

    Some of these packages may already be installed on your system.

Step 1 - Configure Networking and Firewall

Enable IP Packet forwarding in the kernel options.

$ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
$ sudo sysctl -p 

Add IPSec service to Firewalld firewall.

$ sudo firewall-cmd --permanent --add-service=ipsec

We also need HTTP and HTTPS ports to function. Open them.

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https

Allow NAT packet forwarding, also known as IP masquerade.

$ sudo firewall-cmd --permanent --add-masquerade

Reload the firewall to apply the changes.

$ sudo firewall-cmd --reload

Step 2 - Install SSL

We need to install Certbot to generate the SSL certificate.

We will use the Snapd package installer for that. Since Rocky Linux doesn't ship with it, install the Snapd installer. It requires the EPEL repository to work.

$ sudo dnf install -y epel-release

Install Snapd.

$ sudo dnf install -y snapd

Enable and Start the Snap service.

$ sudo systemctl enable snapd --now

Install the Snap core package, and ensure that your version of Snapd is up to date.

$ sudo snap install core && sudo snap refresh core

Create necessary links for Snapd to work.

$ sudo ln -s /var/lib/snapd/snap /snap
$ echo 'export PATH=$PATH:/var/lib/snapd/snap/bin' | sudo tee -a /etc/profile.d/

Issue the following command to install Certbot.

$ sudo snap install --classic certbot

Use the following command to ensure that the Certbot command can be run by creating a symbolic link to the /usr/bin directory.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Verify the installation.

$ certbot --version
certbot 2.3.0

Run the following command to generate an SSL Certificate.

$ sudo certbot --key-type rsa certonly --standalone --agree-tos --no-eff-email --preferred-challenges http -m [email protected] -d

The above command will download a certificate to the /etc/letsencrypt/live/ directory on your server.

To check whether the SSL renewal is working fine, do a dry run of the process.

$ sudo certbot renew --dry-run

If you see no errors, you are all set. Your certificate will renew automatically.

Step 3 - Install strongSwan

strongSwan requires the EPEL repository for installation but since we have already installed it in the previous step, you can skip it. Install strongSwan using the following command.

$ sudo dnf install strongswan

Create a symlink for the certificates in the /etc/strongswan/swanctl directory.

$ sudo ln -s /etc/letsencrypt/live/ /etc/strongswan/swanctl/x509
$ sudo ln -s /etc/letsencrypt/live/ /etc/strongswan/swanctl/private
$ sudo ln -s /etc/letsencrypt/live/ /etc/strongswan/swanctl/x509ca

Create a strongSwan configuration file and open it for editing.

$ sudo nano /etc/strongswan/swanctl/conf.d/my_vpn.conf

Paste the following code in it.

connections {
    ikev2-eap-mschapv2 {
        version = 2
        proposals = aes256-sha256-modp4096,aes256-sha256-modp2048,aes256gcm16-sha256-modp1024
        rekey_time = 0s
        pools = pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        unique = never
        local {
            id =
            certs = fullchain.pem
        remote {
            auth = eap-mschapv2
            eap_id = %any
        children {
            ikev2-eap-mschapv2 {
                local_ts =
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes256-sha256-sha1

pools {
    pool-ipv4 {
        addrs =
        dns =,

secrets {
    eap-User1 {
        id = username1
        secret = "password1"

Save the file by pressing Ctrl + X and entering Y when prompted once finished.

If you wish to tunnel both IPv4 and IPv6 through the VPN, you need to assign an IPv6 pool, DNS, and local subnet. Replace the values of the variables local_ts, addrs, and dns with the following values.

local_ts =,::/0
addrs =,2a00:1450:400c:c05::/112
dns =,2001:4860:4860::8888

Disable the OpenSSL plugin because OpenSSL on Rocky Linux 9 doesn't allow RSA signatures with SHA-1 causing authentication failures.

$ sudo sed -i "s/load = yes/load = no/" /etc/strongswan/strongswan.d/charon/openssl.conf

Enable and start the strongSwan service.

$ sudo systemctl enable strongswan
$ sudo systemctl start strongswan

Step 4 - Connecting via Windows

Open the Settings application and select Network and Internet menu option. Select the VPN menu and then click the Add a VPN connection button.

Windows VPN Configuration for strongSwan

Click the Save button and then select the VPN you added and click the Connect button to start the VPN.

Windows VPN Connections List

Step 5 - Connecting via macOS

Open System Preferences >> Network and click the plus (+) sign on the top right to add a new service.

macOS Add New Network Service

Select VPN as the Interface, IKEv2 as the VPN Type and give your service a name. Click the Create button to proceed.

macOS strongSwan Configuration

Enter your domain name as the Server Address and Remote ID. Leave the Local ID field empty. Click the Authentication Settings button to open a new popup.

macOS strongSwan Authentication Settings

Select Username as Authentication Settings and then enter the credentials created earlier. Click the Ok button to save the setting. Click the Apply button at the bottom to save the setting. And then click the Connect button to connect to the VPN.

macOS VPN Icon

Once you have added it, macOS will create a shortcut for the VPN on the menu bar. You can connect to the VPN from there directly.

Step 6 - Connecting via Android

Open Android Settings >> Network and Internet >> VPN menu. Click the plus (+) sign on the top right of the screen to add the VPN profile.

strongSwan Android Configuration

Give the connection a name. Select IKEv2/IPSec MSCHAPv2 as the VPN type. Enter your domain as the server address. Give any random string as the IPSec Identifier. Enter the username and password you gave before. Click the Save button to finish.

Select the Connection name and click Connect to start using the VPN.

Step 7 - Connecting via iOS

Open the iOS settings, and click on the General menu. Click the VPN menu and you will get a similar menu shown below. Select IKEv2 as the VPN Type.

strongSwan iOS VPN Settings

Give your VPN a description. Enter your domain as the value for the Server and Remote ID fields. Leave the Local ID field blank. Select User Authentication as Username and enter your credentials. Select Done when finished and tap on the switch to connect to the VPN.


This concludes our tutorial on setting up IKEv2 VPN using strongSwan and Let's Encrypt SSL on a Rocky Linux 9 server. You also connected to the VPN using multiple clients. If you have any questions, post them in the comments below.

Share this page:

Suggested articles

0 Comment(s)

Add comment