How to Install and Configure strongSwan VPN on Ubuntu

A VPN allows you to access the Internet safely and securely on an untrusted public Wi-Fi network. You can connect to remote VPN servers using the encrypted connection and surf the web anonymously.

strongSwan is free, open-source, and the most widely-used IPsec-based virtual private network implementation, allowing you to create an encrypted secure tunnel between two or more remote networks.

strongSwan uses the IKEv2 protocol, which allows for direct IPSec tunneling between the server and the client. strongSwan stands for Strong Secure WAN and supports both versions of automatic keying exchange in IPsec VPN, IKE V1 and V2.

In this tutorial, we will show you how to install and configure strongSwan VPN on Ubuntu. This procedure is compatible with Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 24.04

Step 1 – Enable Kernel Packet Forwarding

First, you will need to configure the kernel to enable packet forwarding for IPv4. You can configure it by editing the file /etc/sysctl.conf:

nano /etc/sysctl.conf

Add the following lines at the end of the file:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Save and close the file. Then, run the following command to reload the settings:

sysctl -p

Step 2 – Install strongSwan

First, you will need to install the strongSwan IPSec daemon in your system. You can install it by simply running the following command:

apt-get install strongswan libcharon-extra-plugins strongswan-pki libtss2-tcti-tabrmd0 libtss2-esys-3.0.2-0 libstrongswan-extra-plugins -y

Once the installation is completed, you can proceed to the next step.

Step 3 – Setting Up a Certificate Authority

Now you will need to generate the VPN server certificate and key for the VPN client to verify the authenticity of the VPN server.

First, generate a private key for self-signing the CA certificate using a PKI utility:

ipsec pki --gen --size 4096 --type rsa --outform pem > ca.key.pem

Next, create your root certificate authority and use the above key to sign the root certificate:

ipsec pki --self --in ca.key.pem --type rsa --dn "CN=VPN Server CA" --ca --lifetime 3650 --outform pem > ca.cert.pem

Next, you will need to create a certificate and key for the VPN server so that the client can verify the server’s authenticity using the CA certificate we just generated.

First, create a private key for the VPN server with the following command:

ipsec pki --gen --size 4096 --type rsa --outform pem > server.key.pem

Next, generate the server certificate by running the following command:

ipsec pki --pub --in server.key.pem --type rsa | ipsec pki --issue --lifetime 2750 --cacert ca.cert.pem --cakey ca.key.pem --dn "CN=vpn.example.com" --san="vpn.example.com" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem

Next, you will need to copy the above certificate in the respective IPSec certificates directories as shown below:

mv ca.cert.pem /etc/ipsec.d/cacerts/
mv server.cert.pem /etc/ipsec.d/certs/
mv ca.key.pem /etc/ipsec.d/private/
mv server.key.pem /etc/ipsec.d/private/

At this point, you have all of the certificates ready, and you can now proceed to the next step.

Step 4 – Configure strongSwan

strongSwan has a default configuration file located at /etc/ipsec.conf. It is recommended to rename the default configuration file and create a new file.

To rename the default configuration file, run the following command:

mv /etc/ipsec.conf /etc/ipsec.conf.bak

Next, create a new configuration file as shown below:

nano /etc/ipsec.conf

Add the following lines:

config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
        strictcrlpolicy=no
        uniqueids=yes
        cachecrls=no

conn ipsec-ikev2-vpn
      auto=add
      compress=no
      type=tunnel  # defines the type of connection, tunnel.
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      [email protected]    # if using IP, define it without the @ sign
      leftcert=server.cert.pem  # reads the VPN server cert in /etc/ipsec.d/certs
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=192.168.0.0/24
      rightdns=8.8.8.8 
      rightsendcert=never
      eap_identity=%identity  # defines the identity the client uses to reply to an EAP Identity request.

Save and close the file when you are finished.

Where:

config setup : Specifies general configuration information for IPSec which applies to all connections.
charondebug : Defines how much Charon debugging output should be logged.
leftid : Specifies the domain name or IP address of the server.
leftcert : Specifies the name of the server certificate.
leftsubnet : Specifies the private subnet behind the left participant.
rightsourceip : IP address pool to be assigned to the clients.
rightdns : DNS to be assigned to clients.

Step 5 – Configure Authentication

At this point, your VPN server is configured to accept client connections. Next, you will need to configure client-server authentication credentials to define the RSA private keys for authentication and set up the EAP user credentials.

nano /etc/ipsec.secrets

Add the following lines:

: RSA "server.key.pem"
vpnsecure : EAP "your-secure-password"

Save and close the file. Then, restart the strongSwan service and enable it to start at reboot:

systemctl restart strongswan-starter.service
systemctl enable strongswan-starter.service

You can also verify the status of the strongSwan service using the following command:

systemctl status strongswan-starter.service

You should see the following output:

• strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-05-08 08:02:08 UTC; 8s ago
 Main PID: 29947 (starter)
    Tasks: 18 (limit: 2359)
   CGroup: /system.slice/strongswan.service
           ├─29947 /usr/lib/ipsec/starter --daemon charon --nofork
           └─29973 /usr/lib/ipsec/charon --debug-ike 2 --debug-knl 2 --debug-cfg 2 --debug-net 2 --debug-esp 2 --debug-dmn 2 --debug-mgr 2

May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   eap_identity=%identity
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   dpddelay=300
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   dpdtimeout=150
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   dpdaction=1
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   sha256_96=no
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   mediation=no
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   keyexchange=ikev2
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG] adding virtual IP address pool 192.168.0.0/24
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG]   loaded certificate "CN=vpn.example.com" from 'server.cert.pem'
May 08 08:02:08 ubuntu1804 charon[29973]: 05[CFG] added configuration 'ipsec-ikev2-vpn'

You can also verify the strongSwan certificates using the following command:

ipsec listcerts

You should get the following output:

List of X.509 End Entity Certificates

  subject:  "CN=vpn.example.com"
  issuer:   "CN=VPN Server CA"
  validity:  not before May 11 07:13:55 2025, ok
             not after  Nov 20 07:13:55 2032, ok (expires in 2749 days)
  serial:    20:47:13:71:a8:8a:e7:65
  altNames:  vpn.example.com
  flags:     serverAuth ikeIntermediate 
  authkeyId: 90:9f:3f:b7:b1:12:8f:e3:d0:30:15:1b:49:39:94:c9:c9:8d:07:3c
  subjkeyId: 68:ff:aa:f4:6a:e6:40:d2:4f:8d:dd:1f:6a:16:df:9e:f1:76:f6:28
  pubkey:    RSA 4096 bits, has private key
  keyid:     02:0b:d8:03:cf:ee:3e:4f:8a:da:39:1b:fb:90:b2:10:f8:64:62:0e
  subjkey:   68:ff:aa:f4:6a:e6:40:d2:4f:8d:dd:1f:6a:16:df:9e:f1:76:f6:28

At this point, your strongSwan VPN server is installed and configured. You can now proceed to install and configure the VPN client to connect the VPN server.

Step 6 – Install and Configure strongSwan Client

Log in to the client system and run the following command to install the strongSwan client packages:

apt-get install strongswan libcharon-extra-plugins -y

Once installed, disable the strongSwan service to start at boot:

systemctl disable strongswan-starter.service

Next, copy the ca.cert.pem file from the VPN server to the VPN client using the following command:

scp root@your-vpnserver-ip:/etc/ipsec.d/cacerts/ca.cert.pem /etc/ipsec.d/cacerts/

Next, configure VPN client authentication by editing the file /etc/ipsec.secrets:

nano /etc/ipsec.secrets

Add the following line:

vpnsecure : EAP "your-secure-password"

Save and close the file. Then, edit the strongSwan default configuration file:

nano /etc/ipsec.conf

Add the following lines:

conn ipsec-ikev2-vpn-client
    auto=start
    right=vpn.example.com
    rightid=vpn.example.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpnsecure
    leftauth=eap-mschapv2
    eap_identity=%identity

Save and close the file. Then, restart the strongSwan service with the following command:

systemctl restart strongswan-starter.service

On the strongSwan server, check the VPN connection status using the following command:

ipsec status

You should see that the IP 192.168.0.5 assign to the VPN client:

Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 1 minutes ago, [vpnsecure]...192.168.0.1[vpn.example.com]
ipsec-ikev2-vpn-client{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 74ab87d0db9ea3d5_i 684cb0dbe4d1a70d_r
ipsec-ikev2-vpn-client{1}:   192.168.0.5/32 === 0.0.0.0/0

Step 7 – Connecting from a Windows Client

Windows has a built-in VPN client that is fully compatible with the IKEv2 server we have configured. To connect, you will need to import the server’s Certificate Authority (CA) certificate to ensure Windows trusts the VPN server, and then configure the connection.

Transfer the CA Certificate

First, you need the ca.cert.pem file that was generated on your VPN server. Log in to your server and display the contents of the file:

cat /etc/ipsec.d/cacerts/ca.cert.pem

Copy the entire output to your clipboard, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines.

On your Windows machine, open Notepad, paste the copied text, and save the file as ca.cert.pem. Make sure you select “All Files” for the “Save as type” option to avoid it being saved as a .txt file.

Install the CA Certificate on Windows

For Windows to trust your VPN server, you must install the CA certificate into the “Trusted Root Certification Authorities” store for the Local Computer.

1. Press the Windows Key + R to open the Run dialog, type mmc.exe, and press Enter. This opens the Microsoft Management Console.
2. In the console, go to File > Add/Remove Snap-in….
3. From the list of available snap-ins, select Certificates and click Add >.
4. A new window will pop up. Crucially, you must select Computer account and click Next.
5. Select Local computer, then click Finish, and finally OK.
6. In the main console window, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities, and click on the Certificates folder inside it.
7. Right-click on the Certificates folder and select All Tasks > Import….
8. The Certificate Import Wizard will open. Click Next.
9. Click Browse… and locate the ca.cert.pem file you saved earlier. You may need to change the file type dropdown from “X.509…” to “All Files (*.*)” to see it. Select the file and click Open.
10. Click Next. Ensure the Certificate Store is shown as “Trusted Root Certification Authorities“.
11. Click Next again, and then Finish. You should see a message confirming the import was successful.

Configure the VPN Connection in Windows

Now you can create the VPN connection profile.

1. Open Settings > Network & Internet > VPN.
2. Click Add a VPN connection.
3. Fill out the form with the following details:
   • VPN provider: Windows (built-in)
   • Connection name: Give it a memorable name, like My strongSwan VPN.
   • Server name or address:vpn.example.com (Use the domain name you configured in Step 3 of the server setup).
   • VPN type: IKEv2
   • Type of sign-in info:User name and password
   • User name: vpnsecure (The username you set in /etc/ipsec.secrets).
   • Password: your-secure-password (The password you set in /etc/ipsec.secrets).
   • (You can leave the username and password fields blank if you prefer to be prompted for them each time you connect).
4. Click Save.

Connect to the VPN

The new VPN connection will now appear in your VPN list. You can connect to it from the Settings page or by clicking the network icon in your system tray.

Click on your VPN profile and click the Connect button. The status should change to “Connected”, and your internet traffic will now be securely routed through your Ubuntu strongSwan server.

Conclusion

Congratulations! You have successfully installed and configured strongSwan VPN Server and Client on Ubuntu 24.04. You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors – get started on your VPS hosted Ubuntu server from Atlantic.Net today!

Learn more about our VPS hosting services and Virtual private servers.