Author: Asineth Martin
Last Updated: Tue, Aug 24, 2021strongSwan is a cross-platform IPSec-based VPN solution that implements the IKEv1 and IKEv2 protocols for key exchange, IPv4 and IPv6 support, and authentication with X.509 certificates. This guide explains how to install strongSwan on CentOS 7. When following this guide, you should replace the domain name vpn.example.com
with your server's fully-qualified domain name.
Ports 80/TCP, 500/UDP, and 4500/UDP must be open in the firewall for strongSwan. Add these ports as shown:
$ sudo firewall-cmd --permanent --add-port=80/tcp
$ sudo firewall-cmd --permanent --add-port=500/udp
$ sudo firewall-cmd --permanent --add-port=4500/udp
Allow NAT packet forwarding, also known as IP masquerade.
$ sudo firewall-cmd --permanent --add-masquerade
Reload the firewall to apply the changes.
$ sudo firewall-cmd --reload
Enable IP packet forwarding in the kernel options.
$ echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.conf
$ sudo sysctl -p
Install the Extra Packages for Enterprise Linux (EPEL) repository, which contains packages required for strongSwan and Let's Encrypt.
$ sudo yum install -y epel-release
Install Snap, which is required for Let's Encrypt.
$ sudo yum install snapd
Enable the systemd unit that manages the main snap communication socket.
$ sudo systemctl enable --now snapd.socket
Create a symbolic link between /var/lib/snapd/snap
and /snap
to enable classic Snap support.
$ sudo ln -s /var/lib/snapd/snap /snap
Reboot the server to activate Snap.
$ sudo reboot
Reconnect to the server via SSH as your non-root user account.
Update Snap.
$ sudo snap install core
$ sudo snap refresh core
Install the Let's Encrypt Certbot utility. By using a Let's Encrypt certificate instead of a self-signed one, the clients do not need to import certificates on their devices manually.
$ sudo snap install --classic certbot
Link Certbot to /usr/bin
.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Request a new certificate.
Certbot requires a fully qualified domain name that points to your server's IP address, as described before in the Prerequisites section. Replace user@example.com
with your email address and vpn.example.com
with your domain name.
$ sudo certbot certonly --standalone --agree-tos --no-eff-email -m user@example.com -d vpn.example.com
Certbot installs automatic renewal scripts for your system. You can verify the automatic renewal with this command:
$ sudo certbot renew --dry-run
Install the strongSwan package.
$ sudo yum install -y strongswan
Link the TLS certificate and key from Certbot for use with strongSwan. Make sure to replace vpn.example.com
with your domain name.
$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/fullchain.pem /etc/strongswan/ipsec.d/certs
$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/privkey.pem /etc/strongswan/ipsec.d/private
$ sudo ln -s /etc/letsencrypt/live/vpn.example.com/chain.pem /etc/strongswan/ipsec.d/cacerts
Move the default strongSwan configuration files to a backup location.
$ sudo mv /etc/strongswan/ipsec.conf{,.old}
$ sudo mv /etc/strongswan/ipsec.secrets{,.old}
Create a new strongSwan configuration file.
$ sudo nano /etc/strongswan/ipsec.conf
Paste the following lines. Replace vpn.example.com
with your server's domain name.
config setup
strictcrlpolicy=yes
uniqueids=never
conn ikev2
auto=add
keyexchange=ikev2
forceencaps=yes
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.example.com
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.8.0.0/16
rightsendcert=never
eap_identity=%identity
Save and exit the file.
Create the secrets file for strongSwan.
$ sudo nano /etc/strongswan/ipsec.secrets
Insert the following lines. Replace user1
, user2
, user3
, and password
with the desired credentials to access the VPN.
: RSA "privkey.pem"
user1 : EAP "password"
user2 : EAP "password"
user3 : EAP "password"
You can create as many user/password lines as needed. Delete a line to revoke access for a user account.
Save and exit the file.
Start strongSwan and enable the service to start at boot.
$ sudo systemctl enable --now strongswan
This completes the server configuration.
To connect to your new strongSwan server, choose the instructions for your client operating system.
Configure the following settings:
Click Save.
+
icon.Configure the following settings:
Click Create.
Configure the following settings:
Click Authentication Settings.
Configure the following settings:
Select Done.
Configure the following settings:
Select Save.
For more information, please see the strongSwan documentation.