Knowledgebase

  1. Portal Home
  2. Knowledgebase
  3. Operating Systems
  4. CentOS
  5. Install a strongSwan IPSec VPN Server on CentOS 7

  Categories

23
Accounts
 16
App Platform
 8
Backups
 7
Billing
 4
Connectivity Troubleshooting
 148
Data Management
 1
Ddos
 197
Development
 13
DNS
 41
Game Servers
 5
Hosting Packages
 97
Infrastructure
 6
IPv6
 48
Kubernetes
 11
Load Balancers
 34
Machine Learning
 10
MongoDB
 1
Monitoring
 21
MySQL
 14
Networking
 1039
Operating Systems
 21
PostgreSQL
 1
Private Internet Guardian (VPN)
 1
Products
 7
Redis
 100
Reference Guides
 4
Resellers
 6
Reserved IPs
 86
Server
 322
Server Apps
 7
Site Management Tools
 1
SnapShooter
 16
Snapshots
 3
Spaces
 4
SSH Troubleshooting
 5
SSL
 2
Streaming and Broadcasting
 23
Support Plans FAQ
 2
Teams
 6
Third-Party Applications
 5
Volumes
 1
VPC
 2
Windows Security

  Categories

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket

Install a strongSwan IPSec VPN Server on CentOS 7 Print

  • 0

Introduction

strongSwan is a cross-platform IPSec-based VPN solution that implements the IKEv1 and IKEv2 protocols for key exchange, IPv4 and IPv6 support, and authentication with X.509 certificates. This guide explains how to install strongSwan on CentOS 7. When following this guide, you should replace the domain name vpn.example.com with your server's fully-qualified domain name.

Prerequisites

1. Configure Networking

  1. Ports 80/TCP, 500/UDP, and 4500/UDP must be open in the firewall for strongSwan. Add these ports as shown:

     $ sudo firewall-cmd --permanent --add-port=80/tcp
 $ sudo firewall-cmd --permanent --add-port=500/udp
 $ sudo firewall-cmd --permanent --add-port=4500/udp

  2. Allow NAT packet forwarding, also known as IP masquerade.

     $ sudo firewall-cmd --permanent --add-masquerade

  3. Reload the firewall to apply the changes.

     $ sudo firewall-cmd --reload

  4. Enable IP packet forwarding in the kernel options.

     $ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
 $ sudo sysctl -p

2. Add the EPEL Repository and Snap

  1. Install the Extra Packages for Enterprise Linux (EPEL) repository, which contains packages required for strongSwan and Let's Encrypt.

     $ sudo yum install -y epel-release

  2. Install Snap, which is required for Let's Encrypt.

     $ sudo yum install snapd

  3. Enable the systemd unit that manages the main snap communication socket.

     $ sudo systemctl enable --now snapd.socket

  4. Create a symbolic link between /var/lib/snapd/snap and /snap to enable classic Snap support.

     $ sudo ln -s /var/lib/snapd/snap /snap

  5. Reboot the server to activate Snap.

     $ sudo reboot

  6. Reconnect to the server via SSH as your non-root user account.

  7. Update Snap.

     $ sudo snap install core
 $ sudo snap refresh core

3. Install a Let's Encrypt Certificate

  1. Install the Let's Encrypt Certbot utility. By using a Let's Encrypt certificate instead of a self-signed one, the clients do not need to import certificates on their devices manually.

     $ sudo snap install --classic certbot

  2. Link Certbot to /usr/bin.

     $ sudo ln -s /snap/bin/certbot /usr/bin/certbot

  3. Request a new certificate.

    Certbot requires a fully qualified domain name that points to your server's IP address, as described before in the Prerequisites section. Replace user@example.com with your email address and vpn.example.com with your domain name.

     $ sudo certbot certonly --standalone --agree-tos --no-eff-email -m user@example.com -d vpn.example.com

  4. Certbot installs automatic renewal scripts for your system. You can verify the automatic renewal with this command:

     $ sudo certbot renew --dry-run

4. Install strongSwan

  1. Install the strongSwan package.

     $ sudo yum install -y strongswan

  2. Link the TLS certificate and key from Certbot for use with strongSwan. Make sure to replace vpn.example.com with your domain name.

     $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/strongswan/ipsec.d/certs
 $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/strongswan/ipsec.d/private
 $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/chain.pem /etc/strongswan/ipsec.d/cacerts

  3. Move the default strongSwan configuration files to a backup location.

     $ sudo mv /etc/strongswan/ipsec.conf{,.old}
 $ sudo mv /etc/strongswan/ipsec.secrets{,.old}

  4. Create a new strongSwan configuration file.

     $ sudo nano /etc/strongswan/ipsec.conf

  5. Paste the following lines. Replace vpn.example.com with your server's domain name.

     config setup
         strictcrlpolicy=yes
         uniqueids=never

 conn ikev2
         auto=add
         keyexchange=ikev2
         forceencaps=yes
         ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
         esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
         dpdaction=clear
         dpddelay=300s
         rekey=no
         left=%any
         leftid=@vpn.example.com
         leftcert=fullchain.pem
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         right=%any
         rightid=%any
         rightauth=eap-mschapv2
         rightdns=8.8.8.8,8.8.4.4
         rightsourceip=10.8.0.0/16
         rightsendcert=never
         eap_identity=%identity

  6. Save and exit the file.

  7. Create the secrets file for strongSwan.

     $ sudo nano /etc/strongswan/ipsec.secrets

  8. Insert the following lines. Replace user1, user2, user3, and password with the desired credentials to access the VPN.

     : RSA "privkey.pem"
 user1 : EAP "password"
 user2 : EAP "password"
 user3 : EAP "password"

    You can create as many user/password lines as needed. Delete a line to revoke access for a user account.

  9. Save and exit the file.

  10. Start strongSwan and enable the service to start at boot.

     $ sudo systemctl enable --now strongswan

This completes the server configuration.

Client Connections

To connect to your new strongSwan server, choose the instructions for your client operating system.

Windows

  1. Open Settings.

  2. Select Network & internet.

  3. Select VPN.

  4. Select Add a VPN configuration.

  5. Configure the following settings:

    • VPN provider: Windows (built-in)
    • Connection name: (any string)
    • Server name or address: (fully-qualified domain name)
    • VPN type: IKEv2
    • Type of sign-in info: User name and password
    • User name: (username)
    • Password: (password)

  6. Click Save.

  7. Click your VPN configuration.

  8. Click Connect.

macOS

  1. Open System Preferences.

  2. Select Network.

  3. Add a new service with the + icon.

  4. Configure the following settings:

    • Interface: VPN
    • VPN Type: IKEv2
    • Service Name (any string)

  5. Click Create.

  6. Configure the following settings:

    • Server Address: (fully-qualified domain name)
    • Remote ID: (fully-qualified domain name)
    • Local ID: (leave blank)

  7. Click Authentication Settings.

  8. Enter your username and password.

  9. Click OK.

  10. Click Connect.

iOS

  1. Open Settings.

  2. Select VPN.

  3. Select Add VPN Configuration.

  4. Configure the following settings:

    • Type: IKEv2
    • Description: (can be any string)
    • Server: (fully-qualified domain name)
    • Remote ID: (fully-qualified domain name)
    • Local ID: (leave blank)
    • User Authentication: Username
    • Username: (username)
    • Password: (password)
    • Proxy: Off

  5. Select Done.

  6. Tap on the switch to connect or disconnect.

Android

  1. Open the Play Store.

  2. Search and install "strongSwan VPN Client".

  3. Launch the app.

  4. Select Add VPN Profile.

  5. Configure the following settings:

    • Server: (fully-qualified domain name)
    • VPN Type: IKEv2
    • Username: (username)
    • Password: (password)
    • CA certificate: (Select automatically)
    • Profile name: (any string)
    • Server identity: (fully-qualified domain name)

  6. Select Save.

  7. Select Connect.

More Information

For more information, please see the strongSwan documentation.

Introduction strongSwan is a cross-platform IPSec-based VPN solution that implements the IKEv1 and IKEv2 protocols for key exchange, IPv4 and IPv6 support, and authentication with X.509 certificates. This guide explains how to install strongSwan on CentOS 7. When following this guide, you should replace the domain name vpn.example.com with your server's fully-qualified domain name. Prerequisites Deploy a new CentOS 7 instance with SELinux enabled. You can use any of Rcs's cloud server types. Follow Rcs's best practice guide to update the system. Create a non-root sudo user. Create a fully-qualified DNS "A" record that points to your server's IP address. Connect to your new server via SSH as the non-root sudo user. 1. Configure Networking Ports 80/TCP, 500/UDP, and 4500/UDP must be open in the firewall for strongSwan. Add these ports as shown: $ sudo firewall-cmd --permanent --add-port=80/tcp $ sudo firewall-cmd --permanent --add-port=500/udp $ sudo firewall-cmd --permanent --add-port=4500/udp Allow NAT packet forwarding, also known as IP masquerade. $ sudo firewall-cmd --permanent --add-masquerade Reload the firewall to apply the changes. $ sudo firewall-cmd --reload Enable IP packet forwarding in the kernel options. $ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf $ sudo sysctl -p 2. Add the EPEL Repository and Snap Install the Extra Packages for Enterprise Linux (EPEL) repository, which contains packages required for strongSwan and Let's Encrypt. $ sudo yum install -y epel-release Install Snap, which is required for Let's Encrypt. $ sudo yum install snapd Enable the systemd unit that manages the main snap communication socket. $ sudo systemctl enable --now snapd.socket Create a symbolic link between /var/lib/snapd/snap and /snap to enable classic Snap support. $ sudo ln -s /var/lib/snapd/snap /snap Reboot the server to activate Snap. $ sudo reboot Reconnect to the server via SSH as your non-root user account. Update Snap. $ sudo snap install core $ sudo snap refresh core 3. Install a Let's Encrypt Certificate Install the Let's Encrypt Certbot utility. By using a Let's Encrypt certificate instead of a self-signed one, the clients do not need to import certificates on their devices manually. $ sudo snap install --classic certbot Link Certbot to /usr/bin. $ sudo ln -s /snap/bin/certbot /usr/bin/certbot Request a new certificate. Certbot requires a fully qualified domain name that points to your server's IP address, as described before in the Prerequisites section. Replace user@example.com with your email address and vpn.example.com with your domain name. $ sudo certbot certonly --standalone --agree-tos --no-eff-email -m user@example.com -d vpn.example.com Certbot installs automatic renewal scripts for your system. You can verify the automatic renewal with this command: $ sudo certbot renew --dry-run 4. Install strongSwan Install the strongSwan package. $ sudo yum install -y strongswan Link the TLS certificate and key from Certbot for use with strongSwan. Make sure to replace vpn.example.com with your domain name. $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/strongswan/ipsec.d/certs $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/strongswan/ipsec.d/private $ sudo ln -s /etc/letsencrypt/live/vpn.example.com/chain.pem /etc/strongswan/ipsec.d/cacerts Move the default strongSwan configuration files to a backup location. $ sudo mv /etc/strongswan/ipsec.conf{,.old} $ sudo mv /etc/strongswan/ipsec.secrets{,.old} Create a new strongSwan configuration file. $ sudo nano /etc/strongswan/ipsec.conf Paste the following lines. Replace vpn.example.com with your server's domain name. config setup strictcrlpolicy=yes uniqueids=never conn ikev2 auto=add keyexchange=ikev2 forceencaps=yes ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@vpn.example.com leftcert=fullchain.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.8.0.0/16 rightsendcert=never eap_identity=%identity Save and exit the file. Create the secrets file for strongSwan. $ sudo nano /etc/strongswan/ipsec.secrets Insert the following lines. Replace user1, user2, user3, and password with the desired credentials to access the VPN. : RSA "privkey.pem" user1 : EAP "password" user2 : EAP "password" user3 : EAP "password" You can create as many user/password lines as needed. Delete a line to revoke access for a user account. Save and exit the file. Start strongSwan and enable the service to start at boot. $ sudo systemctl enable --now strongswan This completes the server configuration. Client Connections To connect to your new strongSwan server, choose the instructions for your client operating system. Windows Open Settings. Select Network & internet. Select VPN. Select Add a VPN configuration. Configure the following settings: VPN provider: Windows (built-in) Connection name: (any string) Server name or address: (fully-qualified domain name) VPN type: IKEv2 Type of sign-in info: User name and password User name: (username) Password: (password) Click Save. Click your VPN configuration. Click Connect. macOS Open System Preferences. Select Network. Add a new service with the + icon. Configure the following settings: Interface: VPN VPN Type: IKEv2 Service Name (any string) Click Create. Configure the following settings: Server Address: (fully-qualified domain name) Remote ID: (fully-qualified domain name) Local ID: (leave blank) Click Authentication Settings. Enter your username and password. Click OK. Click Connect. iOS Open Settings. Select VPN. Select Add VPN Configuration. Configure the following settings: Type: IKEv2 Description: (can be any string) Server: (fully-qualified domain name) Remote ID: (fully-qualified domain name) Local ID: (leave blank) User Authentication: Username Username: (username) Password: (password) Proxy: Off Select Done. Tap on the switch to connect or disconnect. Android Open the Play Store. Search and install "strongSwan VPN Client". Launch the app. Select Add VPN Profile. Configure the following settings: Server: (fully-qualified domain name) VPN Type: IKEv2 Username: (username) Password: (password) CA certificate: (Select automatically) Profile name: (any string) Server identity: (fully-qualified domain name) Select Save. Select Connect. More Information For more information, please see the strongSwan documentation.
Was this answer helpful?

Related Articles

Install and Configure Redis on CentOS 8   Introduction Redis is an open-source in-memory data structure store. You can use it as a... Install MongoDB on CentOS .article--sm, .article--sm .alert { font-size: 15px; line-height: 24px;... Setup Red5 Media Server on CentOS 7 Using a Different System?... Install and Configure Redis on CentOS 8 Using a Different System?... How to Install AirSonic on CentOS 7 Using a Different System?...
Back

Powered by WHMCompleteSolution

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket