Sam - September 16, 2016
How To Setup IKEV2 Strongswan VPN Server on Ubuntu For iOS / iPhone
Introduction
Internet Key Exchange (IKEv2) is basically the next generation type of VPN encryption and is slowly being adopted by companies such as Apple & Microsoft.
Why do people use IKEv2?
Well basically it’s great for mobile / cell phone users who may have frequent dropouts and not the most stable internet. It is also very, very secure compared to other protocols previously used and a lot of people consider it on par with the strength of OpenVPN protocol.
The only con that I can find through my research is that it’s not highly adopted yet, meaning that a tonne of devices don’t support but in saying that, it’s slowly becoming more popular.
Pros:
Fast (good encapsulation) VPN protocol, underlying protocol will minimize lag
Highly secure, can compare to OpenVPN protocol
Cons:
Not highly adopted – you won’t be able to easily set this up on all your devices
Hard to configure for beginners unless you’re reading this guide!
So now that we know it’s a great VPN protocol for mobile users we want to set it up on a server for us to use.
We’re going to set up IKEv2 Strongswan Server on Ubuntu 16.04 x64 with user + pass authentication
If you don’t have a server to use I would highly suggest creating an account with https://vultr.com for only $5 per month you can get a cloud instance with 768mb ram, 15gb SSD and 1TB bandwidth from 14 locations, basically the best deal available at the moment and a great alternative to DigitalOcean.
Find the perfect Proxy Product.
In the following tutorial we will be configuring the server to only use user+pass authentication without any certificates.
Prerequisites: Before You Install
Add wheezy backports to your apt repo so you can download the required packages.
You may also be missing the GPG keys so this just requests them and adds them as well (in case you have any issues).
sudo echo "deb http://ftp.debian.org/debian wheezy-backports main" > /etc/apt/sources.list.d/wheezy-backports.list
sudo gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
sudo gpg -a --export 8B48AD6246925553 | sudo apt-key add -
sudo gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010
sudo gpg -a --export 7638D0442B90D010 | sudo apt-key add -
Don’t forget to update your repos and upgrade any old packages:
sudo apt-get -y update && sudo apt-get upgrade -yStep 1 – Install Strongswan Package
Simply use the apt package manager for a quick install
sudo apt-get -y install strongswan strongswan-plugin-openssl strongswan-plugin-eap-mschapv2This install the main strongswan package as well as the minimum we require for the rest of this tutrial.
Step 2 – Edit strongswan.conf
You can quickly empty the strongswan.conf file with this command:
echo "" > /etc/strongswan.confReplace everything in /etc/strongswan.conf with the following:
charon {
load_modular = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confYou can replace the DNS servers if you wish, these are just Googles public DNS IPs
Step 3 – Edit ipsec.conf
This is a minimized version of the ipsec.conf you can once again truncate the file quickly using this command
echo "" > /etc/ipsec.confNow open up /etc/ipsec.conf and paste everything below, you can replace the leftid= and rightid= with whatever you want but for first timers, I would suggest just copying every thing exactly so you can see how it works before customizing it.
config setup
strictcrlpolicy=no
uniqueids = no
conn %default
mobike=yes
dpdaction=clear
dpddelay=35s
dpdtimeout=200s
fragmentation=yes
conn iOS-IKEV2
auto=add
keyexchange=ikev2
eap_identity=%any
left=%any
leftsubnet=0.0.0.0/0
rightsubnet=10.99.1.0/24
leftauth=psk
leftid=%any
right=%any
rightsourceip=10.99.1.0/24
rightauth=eap-mschapv2
rightid=%anyStep 4 – Edit ipsec.secrets (your users login & passwords)
Here is where we will store our users logins and passwords in plaintext so it’s very easy to edit
Once again, let’s truncate the existing file by executing the following command:
sudo echo "" > /etc/ipsec.secretsNow you can replace it with the following text:
include /var/lib/strongswan/ipsec.secrets.inc
# logins
: PSK "SEXapPAm5x5OXktAzes9nxE3NvilpmIH1orpE2cIzgfWRZgQDYZ1Wm3thlfXXwn"
myusername : EAP "hSyeI1H8Wsybb5qDk5abBrJ7LCu3bPbJrax9aFG77FiiJZu3eUepLwvg9pjjEL3"PSK is an acronym for Pre Shared Key and will basically exist in all of the configs that we will generate for our users in the upcoming step.
You can type out an awesomely long sequence of characters there or for those of you who don’t enjoy aimlessly smashing the keyboard, you can use a generator like this to create one:
http://www.n-cg.net/WPA-PSK_KeyGen.htm
Step 5 – iptable rules
You need to get your main interface name, it’s usually eth0 but not always, if you’re unsure what it is type in your console:
ifconfigThe output will then show you a name, in this case it’s ens3
root@vpnserver:~# ifconfig
ens3 Link encap:Ethernet HWaddr 56:00:00:36:06:27
inet addr:45.76.100.206 Bcast:255.255.254.0 Mask:255.255.254.0
inet6 addr: fe80::5400:ff:fe36:627/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22471 errors:0 dropped:0 overruns:0 frame:0
TX packets:19986 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:141559184 (141.5 MB) TX bytes:2090717 (2.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)Now that we have the interface name you just need to enter these two simple rules, replacing it with your interface name:
sudo iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o ens3 -j MASQUERADE
sudo iptables -A FORWARD -s 10.99.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
The 10.99.1.0/24 is the subnet from the file /etc/ipsec.conf you can change this but just make it’s reflected in the config and also to update your iptables.
Now we need to enable IP forwarding, you can quickly do this by using the following command:
echo 1 > /proc/sys/net/ipv4/ip_forwardAlternatively to prevent yourself from doing this every time you restart your server you can do a permanent approach by adding it into your /etc/sysctl.conf file.
Append this to the end of the file
net.ipv4.ip_forward=1Then reload it by typing
sudo sysctl -pStep 6 – Create your mobile config file
This is the very last thing we have to do before we can start connecting from our iPhone.
Basically the iOS device does allow you to manually add connections however it’s very basic and doesn’t allow you to add some of the parameters required for our basic setup.
So the solution is to create a myusername.mobileconfig file.
I have listed a few parts here that we need to change
@@Replace with your password from /etc/ipsec.secrets@@
Use your password here or in our case we can replace with the password we used above hSyeI1H8Wsybb5qDk5abBrJ7LCu3bPbJrax9aFG77FiiJZu3eUepLwvg9pjjEL3@@Replace with your server IP address@@
Enter either your server DNS address or IP address@@Replace with the PSK from /etc/ipsec.secrets@@
This is the pre-shared key we talked about earlier, make sure this matches the one in /etc/ipsecrets
SEXapPAm5x5OXktAzes9nxE3NvilpmIH1orpE2cIzgfWRZgQDYZ1Wm3thlfXXwn@@My VPN Connection Name@@
This is just your connection / profile name that will appear in your iPhones VPN settings@@Replace with output from uuidgen@@
You can run this command on any ubuntu/linux machine this just generates a random string of characters, I have listed this command a few times in the config. Use a unique uuidgen for each line.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthName</key>
<string>myusername</string>
<key>AuthPassword</key>
<string>@@Replace with your password from /etc/ipsec.secrets@@</string>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<integer>0</integer>
<key>ExtendedAuthEnabled</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>2</integer>
<key>EncryptionAlgorithm</key>
<string>3DES</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>myserver.com.client</string>
<key>RemoteAddress</key>
<string>@@Replace with your server IP address@@</string>
<key>RemoteIdentifier</key>
<string>myserver.com.server</string>
<key>SharedSecret</key>
<string>@@Replace with the PSK from /etc/ipsec.secrets@@</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings for iphone</string>
<key>PayloadDisplayName</key>
<string>TutorialVPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.@@Replace with output from uuidgen@@</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>@@Replace with output from uuidgen@@</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
<key>ProxyAutoConfigEnable</key>
<integer>0</integer>
<key>ProxyAutoDiscoveryEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>@@My VPN Connection Name@@</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>IKEv2</string>
<key>PayloadIdentifier</key>
<string>@@Replace with output from uuidgen@@</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>@@Replace with output from command uuidgen@@</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Step 7 – Adding to your iPhone
Now that you have created the mobileconfig file, simply save it as “whateveryouwant.mobileconfig” and upload it to a public website address.
Now on your iPhone you need to navigate to the URL it is hosted on with safari and you’ll be presented with a screen like this:
Simply follow the prompts on your iPhone and install the VPN connection profile
Once this is done it will appear as already checked (ticked) in your VPN settings.
You can then just tap the connection slider next to “Not Connected”
Finished!
I hope you were able to setup your own IKEv2 server for iOS / iPhone by now.
If you have any questions or are having difficulty leave a comment below and I’ll try to help you.
