Configure StrongSwan IKEv2 VPN with PSK – Step-by-Step Guide

strongswanvpn

I'm looking for a configuration instructions for IKEv2 VPN that uses pre-shared keys instead of certs (those are different methods for tunnel encryption I'd assume?).

I've followed this wonderful tutorial to get IKEv2 VPN working (with certificate) and it works.

My question is what needs to be changed so that it would use PSK instead? I'd assume changes in /etc/ipsec.secrets and /etc/ipsec.conf are to be made.

My current ipsec.conf looks like this:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

UPD: Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn

Best Answer

Assuming that you want to setup your right side with psk. This is fairly easy.

1. remove eap_identity and rightsendcert fields. 2. set rightauth=secret

Now edit /etc/ipsec.secrets file:

1. remove "your_username %any% : EAP "your_password"" line. 2. add ": PSK <your_password>"

Then reread the secrets and restart the service.

$sudo ipsec rereadsecrets $sudo ipsec reload $sudo ipsec restart

All set. Follow "Connecting from iOS" and create a new ikev2 vpn connection. In authentication settings select none and put the shared secret key. Hopefully you connect.

Edit:

Based on the comments, configuration changes required to switch to pre-shared key authentication:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    authby=secret

Remove the following line from ipsec.secrets:

server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem

Then reread the secrets and restart the service.

Related Solutions

Strongswan VPN – Troubleshooting VPN Tunnel Connection Between Two AWS Instances

In VPC, the public IP address of an instance is never bound to the instance's stack, so you have to configure both the internal private address and the external public address. The invalid argument is presumably caused by trying to source traffic directly from the public IP address, which isn't known to your instance.

left=10.10.10.10         # instance private IP of local system
leftsourceip=10.10.10.10 # instance private IP of local system
leftid=203.x.x.x         # elastic IP of local system
leftsubnet=10.x.x.x/xx

rightsubnet=10.x.x.x/xx
right=198.x.x.x          # elastic IP of remote system

Strongswan with LetsEncrypt Certificates (IKEv2-EAP) – Setup Guide

Could be an IP fragmentation issue. Due to the certificate the IKE_AUTH response is larger than the MTU (1744 bytes):

charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

So this gets fragmented into multiple IP fragments. Some routers drop these and the client might not receive the complete packet.

Fortunately, the client supports IKEv2 fragmentation (FRAG_SUP notify):

charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

So please try enabling IKEv2 fragmentation on the server, that is, enable the fragmentation option, or remove it as it's enabled by default.