Avatar
|
September 16, 2016
|

How To Setup IKEV2 Strongswan VPN Server on Ubuntu For iOS / iPhone

Introduction

Internet Key Exchange (IKEv2) is basically the next generation type of VPN encryption and is slowly being adopted by companies such as Apple & Microsoft.

Why do people use IKEv2?

Well basically it’s great for mobile / cell phone users who may have frequent dropouts and not the most stable internet. It is also very, very secure compared to other protocols previously used and a lot of people consider it on par with the strength of OpenVPN protocol.

The only con that I can find through my research is that it’s not highly adopted yet, meaning that a tonne of devices don’t support but in saying that, it’s slowly becoming more popular.

Pros:

  1. Fast (good encapsulation) VPN protocol, underlying protocol will minimize lag
  2. Highly secure, can compare to OpenVPN protocol

Cons:

  1. Not highly adopted – you won’t be able to easily set this up on all your devices
  2. Hard to configure for beginners unless you’re reading this guide!

So now that we know it’s a great VPN protocol for mobile users we want to set it up on a server for us to use.

We’re going to set up IKEv2 Strongswan Server on Ubuntu 16.04 x64 with user + pass authentication

If you don’t have a server to use I would highly suggest creating an account with https://vultr.com for only $5 per month you can get a cloud instance with 768mb ram, 15gb SSD and 1TB bandwidth from 14 locations, basically the best deal available at the moment and a great alternative to DigitalOcean.

screen-shot-2016-09-15-at-7-43-43-pm

In the following tutorial we will be configuring the server to only use user+pass authentication without any certificates.

Prerequisites: Before You Install

Add wheezy backports to your apt repo so you can download the required packages.

You may also be missing the GPG keys so this just requests them and adds them as well (in case you have any issues).

sudo echo "deb http://ftp.debian.org/debian wheezy-backports main" > /etc/apt/sources.list.d/wheezy-backports.list
sudo gpg --keyserver pgpkeys.mit.edu --recv-key  8B48AD6246925553
sudo gpg -a --export 8B48AD6246925553 | sudo apt-key add -
sudo gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010
sudo gpg -a --export 7638D0442B90D010 | sudo apt-key add -

Don’t forget to update your repos and upgrade any old packages:

sudo apt-get -y update && sudo apt-get upgrade -y

 

Step 1 – Install Strongswan Package

Simply use the apt package manager for a quick install

sudo apt-get -y install strongswan strongswan-plugin-openssl strongswan-plugin-eap-mschapv2

This install the main strongswan package as well as the minimum we require for the rest of this tutrial.

Step 2 – Edit strongswan.conf

You can quickly empty the strongswan.conf file with this command:

echo "" > /etc/strongswan.conf

Replace everything in /etc/strongswan.conf with the following:

charon {
	load_modular = yes
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
	plugins {
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf

You can replace the DNS servers if you wish, these are just Googles public DNS IPs

Step 3 – Edit ipsec.conf

This is a minimized version of the ipsec.conf you can once again truncate the file quickly using this command

echo "" > /etc/ipsec.conf

Now open up /etc/ipsec.conf and paste everything below, you can replace the leftid= and rightid= with whatever you want but for first timers, I would suggest just copying every thing exactly so you can see how it works before customizing it.

config setup
 strictcrlpolicy=no
 uniqueids = no

conn %default
 mobike=yes
 dpdaction=clear
 dpddelay=35s
 dpdtimeout=200s
 fragmentation=yes

conn iOS-IKEV2
 auto=add
 keyexchange=ikev2
 eap_identity=%any
 left=%any
 leftsubnet=0.0.0.0/0
 rightsubnet=10.99.1.0/24
 leftauth=psk
 leftid=%any
 right=%any
 rightsourceip=10.99.1.0/24
 rightauth=eap-mschapv2
 rightid=%any

Step 4 – Edit ipsec.secrets (your users login & passwords)

Here is where we will store our users logins and passwords in plaintext so it’s very easy to edit

Once again, let’s truncate the existing file by executing the following command:

sudo echo "" > /etc/ipsec.secrets

Now you can replace it with the following text:

include /var/lib/strongswan/ipsec.secrets.inc

# logins
 : PSK "SEXapPAm5x5OXktAzes9nxE3NvilpmIH1orpE2cIzgfWRZgQDYZ1Wm3thlfXXwn"
myusername : EAP "hSyeI1H8Wsybb5qDk5abBrJ7LCu3bPbJrax9aFG77FiiJZu3eUepLwvg9pjjEL3"

PSK is an acronym for Pre Shared Key and will basically exist in all of the configs that we will generate for our users in the upcoming step.

You can type out an awesomely long sequence of characters there or for those of you who don’t enjoy aimlessly smashing the keyboard, you can use a generator like this to create one:

http://www.n-cg.net/WPA-PSK_KeyGen.htm

Step 5 – iptable rules

You need to get your main interface name, it’s usually eth0 but not always, if you’re unsure what it is type in your console:

ifconfig

The output will then show you a name, in this case it’s ens3

[email protected]:~# ifconfig

ens3      Link encap:Ethernet  HWaddr 56:00:00:36:06:27 
          inet addr:45.76.100.206  Bcast:255.255.254.0  Mask:255.255.254.0
          inet6 addr: fe80::5400:ff:fe36:627/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22471 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19986 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:141559184 (141.5 MB)  TX bytes:2090717 (2.0 MB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Now that we have the interface name you just need to enter these two simple rules, replacing it with your interface name:

sudo iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o ens3 -j MASQUERADE
sudo iptables -A FORWARD -s 10.99.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

 

The 10.99.1.0/24 is the subnet from the file /etc/ipsec.conf you can change this but just make it’s reflected in the config and also to update your iptables.

Now we need to enable IP forwarding, you can quickly do this by using the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Alternatively to prevent yourself from doing this every time you restart your server you can do a permanent approach by adding it into your /etc/sysctl.conf file.

Append this to the end of the file

net.ipv4.ip_forward=1

Then reload it by typing

sudo sysctl -p

Step 6 – Create your mobile config file

This is the very last thing we have to do before we can start connecting from our iPhone.

Basically the iOS device does allow you to manually add connections however it’s very basic and doesn’t allow you to add some of the parameters required for our basic setup.

So the solution is to create a myusername.mobileconfig file.

I have listed a few parts here that we need to change

  1. @@Replace with your password from /etc/[email protected]@
    Use your password here or in our case we can replace with the password we used above hSyeI1H8Wsybb5qDk5abBrJ7LCu3bPbJrax9aFG77FiiJZu3eUepLwvg9pjjEL3
  2. @@Replace with your server IP [email protected]@
    Enter either your server DNS address or IP address
  3. @@Replace with the PSK from /etc/[email protected]@
    This is the pre-shared key we talked about earlier, make sure this matches the one in /etc/ipsecrets
    SEXapPAm5x5OXktAzes9nxE3NvilpmIH1orpE2cIzgfWRZgQDYZ1Wm3thlfXXwn
  4. @@My VPN Connection Name@@
    This is just your connection / profile name that will appear in your iPhones VPN settings
  5. @@Replace with output from [email protected]@
    You can run this command on any ubuntu/linux machine this just generates a random string of characters, I have listed this command a few times in the config. Use a unique uuidgen for each line.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 <dict>
 <key>PayloadContent</key>
 <array>
 <dict>
 <key>IKEv2</key>
 <dict>
 <key>AuthName</key>
 <string>myusername</string>
 <key>AuthPassword</key>
 <string>@@Replace with your password from /etc/[email protected]@</string>
 <key>AuthenticationMethod</key>
 <string>SharedSecret</string>
 <key>ChildSecurityAssociationParameters</key>
 <dict>
 <key>DiffieHellmanGroup</key>
 <integer>2</integer>
 <key>EncryptionAlgorithm</key>
 <string>3DES</string>
 <key>IntegrityAlgorithm</key>
 <string>SHA1-96</string>
 <key>LifeTimeInMinutes</key>
 <integer>1440</integer>
 </dict>
 <key>DeadPeerDetectionRate</key>
 <string>Medium</string>
 <key>DisableMOBIKE</key>
 <integer>0</integer>
 <key>DisableRedirect</key>
 <integer>0</integer>
 <key>EnableCertificateRevocationCheck</key>
 <integer>0</integer>
 <key>EnablePFS</key>
 <integer>0</integer>
 <key>ExtendedAuthEnabled</key>
 <true/>
 <key>IKESecurityAssociationParameters</key>
 <dict>
 <key>DiffieHellmanGroup</key>
 <integer>2</integer>
 <key>EncryptionAlgorithm</key>
 <string>3DES</string>
 <key>IntegrityAlgorithm</key>
 <string>SHA1-96</string>
 <key>LifeTimeInMinutes</key>
 <integer>1440</integer>
 </dict>
 <key>LocalIdentifier</key>
 <string>myserver.com.client</string>
 <key>RemoteAddress</key>
 <string>@@Replace with your server IP [email protected]@</string>
 <key>RemoteIdentifier</key>
 <string>myserver.com.server</string>
 <key>SharedSecret</key>
 <string>@@Replace with the PSK from /etc/[email protected]@</string>
 <key>UseConfigurationAttributeInternalIPSubnet</key>
 <integer>0</integer>
 </dict>
 <key>IPv4</key>
 <dict>
 <key>OverridePrimary</key>
 <integer>1</integer>
 </dict>
 <key>PayloadDescription</key>
 <string>Configures VPN settings for iphone</string>
 <key>PayloadDisplayName</key>
 <string>TutorialVPN</string>
 <key>PayloadIdentifier</key>
 <string>[email protected]@Replace with output from [email protected]@</string>
 <key>PayloadType</key>
 <string>com.apple.vpn.managed</string>
 <key>PayloadUUID</key>
 <string>@@Replace with output from [email protected]@</string>
 <key>PayloadVersion</key>
 <real>1</real>
 <key>Proxies</key>
 <dict>
 <key>HTTPEnable</key>
 <integer>0</integer>
 <key>HTTPSEnable</key>
 <integer>0</integer>
 <key>ProxyAutoConfigEnable</key>
 <integer>0</integer>
 <key>ProxyAutoDiscoveryEnable</key>
 <integer>0</integer>
 </dict>
 <key>UserDefinedName</key>
 <string>@@My VPN Connection [email protected]@</string>
 <key>VPNType</key>
 <string>IKEv2</string>
 <key>VendorConfig</key>
 <dict/>
 </dict>
 </array>
 <key>PayloadDisplayName</key>
 <string>IKEv2</string>
 <key>PayloadIdentifier</key>
 <string>@@Replace with output from [email protected]@</string>
 <key>PayloadRemovalDisallowed</key>
 <false/>
 <key>PayloadType</key>
 <string>Configuration</string>
 <key>PayloadUUID</key>
 <string>@@Replace with output from command [email protected]@</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 </dict>
</plist>

Step 7 – Adding to your iPhone

Now that you have created the mobileconfig file, simply save it as “whateveryouwant.mobileconfig” and upload it to a public website address.

Now on your iPhone you need to navigate to the URL it is hosted on with safari and you’ll be presented with a screen like this:

Simply follow the prompts on your iPhone and install the VPN connection profile

img_4046 img_4045 img_4044 img_4043

Once this is done it will appear as already checked (ticked) in your VPN settings.

You can then just tap the connection slider next to “Not Connected”

Finished!

I hope you were able to setup your own IKEv2 server for iOS / iPhone by now.

If you have any questions or are having difficulty leave a comment below and I’ll try to help you.

img_4048

 

LEAVE A COMMENT