how to set up an ikev2 vpn server with strongswan on centos7.8¶
install strongswan
yum install strongswan -yprepare certs
mkdir /certs && cd /certs strongswan pki --gen --type rsa --size 4096 --outform pem > ca-key.pem strongswan pki --self --ca --lifetime 3650 --in ca-key.pem --type rsa --dn "CN=VPN root CA" --outform pem > ca-cert.pem strongswan pki --gen --type rsa --size 4096 --outform pem > server-key.pem strongswan pki --pub --in server-key.pem --type rsa | strongswan pki --issue --lifetime 1825 --cacert ca-cert.pem --cakey ca-key.pem --dn "CN=chenshi.net" --san "chenshi.net" --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pemprepare configuration files
# ipsec.conf - strongSwan IPsec configuration file config setup charondebug="all" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@chenshi.net leftcert=/certs/server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=172.18.18.0/24 rightdns=9.9.9.9 rightsendcert=never eap_identity=%identity# /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA /certs/server-key.pem chenshi : EAP "chenshi.net" : PSK "chenshi.net"don’t forget to add dns in charon.conf.
change iptables
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf sysctl -p yum install iptables-services -y iptables -F iptables -t nat -A POSTROUTING -s 172.18.18.0/24 -o ens192 -j MASQUERADE service iptables save systemctl restart strongswanon windows client
certlm.msc # import cert Windows Registry Editor Version 5.00 # add regkey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters] "NegotiateDH2048_AES256"=dword:00000001references: