IKEv2/IPsec VPN Server Setup
Modern IKEv2 VPN server with certificate-based authentication and automatic reconnection
Why Choose IKEv2?
Advantages
- • Fast connection establishment
- • Automatic reconnection (MOBIKE)
- • Strong security with modern cryptography
- • Native support on most devices
- • Excellent for mobile devices
Best For
- • Mobile users (iOS, Android)
- • Frequent network switching
- • Enterprise environments
- • Users requiring stability
- • Battery-conscious applications
🚀 Quick Installation
Use our automated script for fastest setup:
Terminal
wget https://get.vpnsetup.net -O vpn.sh
sudo sh vpn.sh --ikev2The script will automatically configure IKEv2 with Let's Encrypt certificates. For manual setup, continue reading below.
1 System Preparation
Install StrongSwan
Terminal
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -yEnable IP Forwarding
Terminal
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_redirects = 0' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.send_redirects = 0' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p2 Create Certificate Authority
Generate CA Certificate
Terminal
mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki
cd ~/pki
# Generate CA private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca-key.pem
# Generate CA certificate
ipsec pki --self --ca --lifetime 3650 --in private/ca-key.pem \
--type rsa --dn "CN=VPN root CA" --outform pem > cacerts/ca-cert.pemGenerate Server Certificate
Terminal
# Generate server private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/server-key.pem
# Generate server certificate (replace YOUR_SERVER_IP with actual IP)
ipsec pki --pub --in private/server-key.pem --type rsa \
| ipsec pki --issue --lifetime 1825 \
--cacert cacerts/ca-cert.pem \
--cakey private/ca-key.pem \
--dn "CN=YOUR_SERVER_IP" --san="YOUR_SERVER_IP" \
--flag serverAuth --flag ikeIntermediate --outform pem \
> certs/server-cert.pem3 Install Certificates
Terminal
sudo cp ~/pki/cacerts/ca-cert.pem /etc/ipsec.d/cacerts/
sudo cp ~/pki/certs/server-cert.pem /etc/ipsec.d/certs/
sudo cp ~/pki/private/server-key.pem /etc/ipsec.d/private/
sudo cp ~/pki/private/ca-key.pem /etc/ipsec.d/private/
# Set proper permissions
sudo chown root:root /etc/ipsec.d/private/*
sudo chmod 600 /etc/ipsec.d/private/*4 Configure StrongSwan
IPsec Configuration
/etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@YOUR_SERVER_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!IPsec Secrets
/etc/ipsec.secrets
# RSA private key for server certificate
: RSA server-key.pem
# User credentials for EAP authentication
username1 : EAP "password1"
username2 : EAP "password2"
admin : EAP "strongpassword123"5 Firewall & NAT Configuration
Configure UFW
Terminal
sudo ufw allow 22/tcp
sudo ufw allow 500/udp
sudo ufw allow 4500/udp
sudo ufw --force enableNAT Rules
Terminal
sudo iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT
sudo iptables -A FORWARD -d 10.10.10.0/24 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v46 Start StrongSwan Service
Terminal
sudo systemctl enable strongswan-starter
sudo systemctl start strongswan-starter
sudo systemctl status strongswan-starter
# Test configuration
sudo ipsec statusall7 Generate Client Certificates
Create Client Certificate
Terminal
cd ~/pki
# Generate client private key
ipsec pki --gen --type rsa --size 2048 --outform pem > private/client-key.pem
# Generate client certificate
ipsec pki --pub --in private/client-key.pem --type rsa \
| ipsec pki --issue --lifetime 1825 \
--cacert cacerts/ca-cert.pem \
--cakey private/ca-key.pem \
--dn "CN=client" --san="client" \
--outform pem > certs/client-cert.pem
# Create PKCS#12 bundle for easy import
openssl pkcs12 -export -inkey private/client-key.pem \
-in certs/client-cert.pem -name "client" \
-certfile cacerts/ca-cert.pem \
-caname "VPN root CA" \
-out client.p12📱 Client Configuration
iOS/macOS
- • Install CA certificate first
- • Server: YOUR_SERVER_IP
- • Type: IKEv2
- • Authentication: Certificate
- • Install client.p12 certificate
Android
- • VPN Type: IKEv2/IPsec RSA
- • Server Address: YOUR_SERVER_IP
- • User Certificate: Import client.p12
- • CA Certificate: Import ca-cert.pem
Windows
For Windows, you can use the built-in VPN client or strongSwan client:
- • Install CA certificate in Trusted Root store
- • Install client certificate in Personal store
- • Configure IKEv2 connection with certificate authentication
⚙️ Advanced Configuration
Enable MOBIKE (Mobility)
Add to your connection configuration for automatic reconnection:
Additional ipsec.conf options
mobike=yes
closeaction=restart
dpdaction=restartMultiple User Management
You can add multiple users by generating separate client certificates or using EAP authentication with different usernames in ipsec.secrets.
🔧 Troubleshooting
Connection Issues
- • Check service status:
sudo systemctl status strongswan-starter - • View logs:
sudo journalctl -u strongswan-starter -f - • Test configuration:
sudo ipsec statusall - • Verify certificates:
sudo ipsec listcerts
Certificate Problems
- • Ensure server IP matches certificate CN/SAN
- • Check certificate expiration dates
- • Verify CA certificate is properly installed on clients
- • Confirm file permissions on private keys (600)