This is just a cheat sheet with the most bare-bones instructions for installing strongSwan as an IKEv2 server.
Edit the system control configuration:
vi /etc/sysctl.conf
Uncomment or insert lines to allow forwarding:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Save the file and activate the changes:
sysctl -p
Add rules to allow input on udp/500 and udp/4500:
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
ip6tables -A INPUT -p udp --dport 500 -j ACCEPT
ip6tables -A INPUT -p udp --dport 4500 -j ACCEPT
Masquerade the source address on outbound packets:
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ens3 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fec3::/120 -o ens3 -j MASQUERADE
Persist the new set of firewall rules:
dpkg-reconfigure iptables-persistent
Update your system:
apt update && apt upgrade -y
Install strongSwan and related packages:
apt install -y strongswan strongswan-swanctl strongswan-pki libstrongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins libcharon-extauth-plugins charon-systemd libtss2-tcti-tabrmd0
Create a directory for certificate requests:
mkdir /etc/swanctl/req
Use the strongSwan pki tool to create keys and certificates:
pki --gen --type rsa --outform pem > /etc/swanctl/private/strongswanKey.pem
pki --self --ca --lifetime 3652 --in /etc/swanctl/private/strongswanKey.pem --dn "C=CA, O=strongswan, CN=strongSwan Root CA" --outform pem > /etc/swanctl/x509ca/strongswanCert.pem
pki --gen --type rsa --outform pem > /etc/swanctl/private/moonKey.pem
pki --req --type rsa --in /etc/swanctl/private/moonKey.pem --dn "C=CA, O=strongswan, CN=moon.dcame.net" --san moon.dcame.net --outform pem > /etc/swanctl/req/moonReq.pem
pki --issue --cacert /etc/swanctl/x509ca/strongswanCert.pem --cakey /etc/swanctl/private/strongswanKey.pem --type pkcs10 --in /etc/swanctl/req/moonReq.pem --lifetime 730 --flag serverAuth --flag ikeIntermediate --outform pem > /etc/swanctl/x509/moonCert.pem
pki --gen --type rsa --outform pem > /etc/swanctl/private/derekKey.pem
pki --req --type rsa --in /etc/swanctl/private/derekKey.pem --dn "C=CA, O=strongswan, CN=derek" --san derek --outform pem > /etc/swanctl/req/derekReq.pem
pki --issue --cacert /etc/swanctl/x509ca/strongswanCert.pem --cakey /etc/swanctl/private/strongswanKey.pem --type pkcs10 --in /etc/swanctl/req/derekReq.pem --lifetime 730 --flag clientAuth --outform pem > /etc/swanctl/x509/derekCert.pem
Create a .p12 file for clients that require it:
openssl pkcs12 -export -out ~/derek.p12 -inkey /etc/swanctl/private/derekKey.pem -in /etc/swanctl/x509/derekCert.pem -certfile /etc/swanctl/x509ca/strongswanCert.pem
Copy client certificates and key to an easily accessible location on the server, ready to be downloaded to the client:
cp /etc/swanctl/x509ca/strongswanCert.pem ~/
cp /etc/swanctl/x509/derekCert.pem ~/
cp /etc/swanctl/private/derekKey.pem ~/
Edit the new-format configuration file:
vi /etc/swanctl/swanctl.conf
Use this as a model:
connections {
ikev2-pubkey {
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4, primary-pool-ipv6
fragmentation = yes
dpd_delay = 30s
local {
certs = moonCert.pem
id = moon.dcame.net
}
remote {
}
children {
ikev2-pubkey {
local_ts = 0.0.0.0/0,::
rekey_time = 0s
dpd_action = clear
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
}
}
}
}
pools {
primary-pool-ipv4 {
addrs = 10.3.0.0/16
dns = 1.1.1.1, 1.0.0.1
}
primary-pool-ipv6 {
addrs = fec3::/120
dns = 2606:4700:4700::1111, 2606:4700:4700::1001
}
}
Restart strongSwan with the new configuration:
systemctl restart strongswan