Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan

First, install Strongswan on Ubuntu.
首先,在Ubuntu上安装Strongswan。
sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic
[info]If you want to compile from source, you need to add this to your configure command:
如果你想从源码编译,请确保你的configure指令包含以下参数:
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
https://lists.strongswan.org/pipermail/users/2012-November/003975.html
You can use these command to install Strongswan from source:
你可以用这些命令来从源码安装Strongswan:
apt-get install build-essential libssl-dev libgmp-dev
wget http://download.strongswan.org/strongswan-5.2.0.tar.bz2
tar xjvf strongswan-5.2.0.tar.bz2; cd strongswan-5.2.0
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
make & make install
[/info]
apt-get also suggest some packages, some of them are useful if you want to connect your strongswan with Radius or something else.
apt-get会列出一些推荐的包,如果你需要扩展Strongswan的功能比如连接Radius、mysql之类的后端数据库,那你可能会需要安装这些插件。
Suggested packages:
strongswan-tnc-imcvs network-manager-strongswan strongswan-plugin-agent
strongswan-plugin-certexpire strongswan-plugin-coupling
strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-dnskey
strongswan-plugin-duplicheck strongswan-plugin-error-notify
strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-led
strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pkcs11
strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-soup
strongswan-plugin-unity strongswan-plugin-whitelist strongswan-tnc-client
strongswan-tnc-server

Now, use
现在使用

ipsec version

to check if ipsec installd successful
命令来检查ipsec的安装是否成功

Then, open /etc/ipsec.secrets. If this file not exists, create a new one.
然后编辑/etc/ipsec.secrets文件。如果不存在就创建一个。
Sudo vim /etc/ipsec.secrets

Write this:
添加如下内容:
: RSA vpnHostKey.pem
: PSK yourpskhere
user1 : EAP "topsecretpassword"
user1 : XAUTH "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"

For security reasons, please change the password in the file, not just use the one I gave.
为了安全起见,请不要使用文中提供的账号密码,使用自定义的账号密码。

By the way, there is a command to reload this file without restart IPSec:
顺便一说,有一个命令可以热加载这个文件:
sudo ipsec rereadsecrets

You can use it to flush the secrets after you modify this file.
在修改了这个文件之后可以直接使用这个命令刷新新的用户密码。

Then modify system config to fit ip forward:
接下来修改系统配置以开启IP包转发:

sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Then set up iptables to enable forward. If you skip this step or make some mistakes, your VPN may can only connect to the server it self or you may lose SSH connection after you start the iptables.
接下来修改iptables的配置来启用转发。如果你跳过了这一步,你的VPN就只能访问服务器本身;如果你在这一步出错,可能会导致你的SSH链接丢失,然后连不上VPN。
[info]If you have any question, please contact me. wzxjohn#gmail
如果你在设置过程中遇到了困难,欢迎联系我。wzxjohn#gmail[/info]
[info]If you use Debian, you don’t need to use ufw. Just use iptables it self.DO NOT INSTALL ufw!
如果你使用Debian系统,你不需要使用ufw。用直接用iptables即可。不要安装ufw
Just create iptables.up.rules and put “iptables-restore < /etc/iptables.up.rules” in /etc/rc.local.
创建iptables.up.rules文件并把”iptables-restore < /etc/iptables.up.rules” 写入 /etc/rc.local 文件即可。[/info]

sudo vim /etc/iptables.up.rules If the file is not exists, create a new one.
编辑/etc/iptables.up.rules文件。如果不存在就创建一个。

Then put
然后将下面两行
iptables-restore < /etc/iptables.up.rules
ufw reload

in /etc/rc.local
写入/etc/rc.local

Now it’s better to restart your VPS now.
现在最好重启一下你的VPS来看看设置是否正确。

If you don’t want to restart, just type
如果你不想重启,可以使用如下命令:
ufw enable
ufw reload

to make sure the iptables rules are working
来确保iptables规则正确加载

Now about ipsec config
接下来是ipsec配置。

This is my config file:
这是我的ipsec配置文件:

I may add some comments later.
之后我可能会添加一些注视。

This config file has 4 part, defined 3 kinds of VPN: IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1).
这个配置文件包含了4个部分,定义了三种VPN:IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1)

Save the config file and type ipsec restart in console.
保存配置文件并执行ipsec restart

Then, about the server cert, in the ipsec.config, we defined the file name server.pem.
接下来是关于服务端证书。在ipsec.config文件里,我们定义了证书文件的名字server.pem。

[info]You can also use Wildcard SSL certs, but you should modify the leftid in the ipsec.conf to @*.your.domain
你也可以使用通配符SSL证书,但是你需要修改ipsec.conf中的leftid为@*.your.domain

And the server address must end in your.domain, which means it can be a.your.domain, b.your.domain, c.your.domain etc.
并且服务器域名必须以your.domain结尾,比如a.your.domain, b.your.domain, c.your.domain等等。

So you can use exactly same config file and cert on all of your servers. All you should do is give them different sub domain names.
所以你可以在你的所有服务器上使用完全相同的配置。你只需要给它们分配不同的子域名即可。
[/info]

[warning]The Common Name in the cert must match the leftid and the real server domain name.
证书中所写的Common Name必须与配置中的leftid和真实的服务器域名匹配。

Which means if you want to access your server by a.your.domain, the Common Name in the cert should exactly be a.your.domain or *.your.domain. Any other string is not accept.
也就是说,如果你想用a.your.domain来访问你的服务器,那证书中的Common Name就必须是a.your.domain或者*.your.domain。其余字符都不可以。

And the left id in ipsec.conf should be @a.your.domain or @*.your.domain.
并且ipsec.conf中的leftid必须是@a.your.domain 或者 @*.your.domain

If not, it will cause connection error because of cert don’t match.
如果有任何不满足,都会导致因证书不匹配的连接失败。
[/warning]

[info]I haven’t try about no domain server, according to the documents about config, you may use self-certificate cert and change the leftid in ipsec.conf, and need to install CA cert on your device.
目前没有尝试过纯使用IP的服务端,按照配置文件的写法应该是需要自签名证书和修改leftid,并且需要将自签名CA安装到手机上。

Update 10/10/2014:
Accroding to Justin’s test, if you want to use IP as the server address, you need to follow these three suggestions:
根据Justin的测试,如果你想使用纯IP的服务器,你需要遵守这三条建议:

1.When creating server cert, you need to use:
当创建服务端证书的时候,你需要使用:
--dn "C=CH, O=strongSwan, CN=Server-IP-Address" \
--san Server-IP-Address \

instead of Server Domain name.
而不是服务器的域名

2.About ipsec.conf,the leftid in it should be exactly the server’s ip address, like:
在ipsec.conf文件中,leftid必须是服务器的IP地址,比如:
leftid = 123.456.789.123

3.About the mobileconfig file, the RemoteIdentifier should be exactly the server’s ip address, like:
在配置文件中,远程标识符必须是服务器的IP地址,如:
RemoteIdentifier
123.456.789.123
[/info]

Just rename your domain cert to the name you set and put it in /etc/ipsec.d/certs/, it’s server.pem in this case.
把你给你的域名申请的证书重命名成配置文件中的名称然后放进/etc/ipsec.d/certs/文件夹,这里是server.pem。

For private key, the file name is defined in ipsec.secrets, as vpnHostKey.pem in this case.
关于证书对应的私钥,ipsec.secrets文件中定义了其文件名,这里是vpnHostKey.pem。

Just rename your own private key to this name and put it in /etc/ipsec.d/private/.
把你的域名证书对应的私钥重命名成配置文件中的名称然后放入/etc/ipsec.d/private/。

[info]Here server.pem is what we call ssl.crt(SSLCertificateFile) in setting up Apache SSL site.
这里的server.pem是我们在配置Apache的SSL时通常所说的ssl.crt(SSLCertificateFile)。

The vpnHostKey.pem is what we call ssl.key(SSLCertificateKeyFile) or private key for cert.
vpnHostKey.pe是我们通常所说的ssl.key(SSLCertificateKeyFile)或者叫证书私钥。
[/info]

Then execute ipsec restart than every thing you should do on server side is done.
接下来执行ipsec restart,然后服务端的所有配置就完成了。

Now for mobileconfig file for iOS 8.
然后是给iOS 8使用的配置文件。

This is my mobile config profile:
这是我在使用的配置文件:

Please modify the username, password, server address in this profile and than install it on your device. You can use import function in Apple Configurator or just modify it use any text editor.
在使用前请修改用户名,密码,服务器地址,然后把配置文件安装到设备上。你可以使用Apple Configurator的导入功能导入这个配置文件然后修改,也可以直接用任何文本编辑器修改。

[info]Additional information about signed mobile config file. You can use this command to sign your mobileconfig file:
关于mobileconfig文件的签名,你可以用这个命令来给你的配置文件签名:
[/info]

openssl smime \
-sign \
-signer ssl.crt \
-inkey ssl.key \
-certfile ca.pem \
-nodetach \
-outform der \
-in MyProfile.mobileconfig \
-out Myprofile_signed.mobileconfig

[info]ssl.crt can be your domain cert or E-mail cert. ssl.key is the private key of the cert. ca.pem may need to let the device trust your own cert. In file and out file MUST be different!
ssl.crt可以是你域名的证书或者是E-mail证书。ssl.key是对应的私钥。有些设备可能需要ca.pem来进行证书信任的验证。输入和输出文件必须不同名!

About self-signed cert, please read this article:
自签名证书参考文章:
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
[/info]

[info]If you want to see more things in IPSec’s log, you can add this in to your ipsec.conf:
如果你想在你的IPSec日志中看到更详细的信息,你可以在ipsec.conf文件中加入这句话:
charondebug="cfg 2, dmn 2, ike 2, net 2"
then the config file will look like this:
然后配置文件会变成这样:
config setup
charondebug = "cfg 2, dmn 2, ike 2, net 2"
uniqueids = no

Now restart ipsec and you will see more things in /var/log/syslog(or /var/log/daemon, /var/log/messages) about your ipsec vpn services.
现在重启ipsec服务,然后你就能在/var/log/syslog(或者 /var/log/daemon, /var/log/messages)中看到关于你的VPN服务的更多信息。

About charondebug, you can find official document hers:
关于charondebug参数,你可以在这里找到官方的文档:
https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Normally, we just need level 2 log. Level 3 and above write some RAW date in hex which we may not need.
一般情况下我们只需要Level 2的日志。Level 3以上的日志包含一些我们可能不太需要的原始包信息。

After debug your vpn server, you may delete the charondebug line, or your log file’s size will grow very fast.
在你调试完你的VPN服务器之后,你最好删除charondebug这一行,不然你的日志文件会迅速增大。

Levels and Subsystems/Groups
The IKE daemon knows different numerical levels of logging, ranging from -1 to 4:

-1: Absolutely silent
0: Very basic auditing logs, (e.g. SA up/SA down)
1: Generic control flow with errors, a good default to see whats going on
2: More detailed debugging control flow
3: Including RAW data dumps in hex
4: Also include sensitive material in dumps, e.g. keys
Each logging message also has a source from which subsystem in the daemon the log came from:

app: applications other than daemons
asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
cfg: Configuration management and plugins
chd: CHILD_SA/IPsec SA
dmn: Main daemon setup/cleanup/signal handling
enc: Packet encoding/decoding encryption/decryption operations
esp: libipsec library messages
ike: IKE_SA/ISAKMP SA
imc: Integrity Measurement Collector
imv: Integrity Measurement Verifier
job: Jobs queuing/processing and thread pool management
knl: IPsec/Networking kernel interface
lib: libstrongwan library messages
mgr: IKE_SA manager, handling synchronization for IKE_SA access
net: IKE network communication
pts: Platform Trust Service
tls: libtls library messages
tnc: Trusted Network Connect

[/info]

CC BY-NC-SA 4.0 Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan by 桔子小窝 is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

23 thoughts on “Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan

          1. p0we7 China Google Chrome Windows

            @Orange :

            我意思是 我国外VPS使用strongswan 部署了一个ikev2的VPN , 然后我想在国内的VPS 使用strongswan来连接我国外的ikev2 的VPN ,那么我应该怎么去配置 。

            这个site-to-site 我也不懂是什么,在google搜的时候这个关键字排序挺高的

  1. frank China Mozilla Firefox Windows

    博主您好 ,十分感谢您的分享。

    我想请教下,使用ikev2协议,ip 自签证书的话,怎样才能做到 ios 客户端不安装证书呢?

    如果使用域名签发证书的话 是可以做到ios客户端不安装证书,但那样的话 会在客户端暴露域名。

    如果购买ca 证书的话 貌似也是需要域名的。。。

     

    静候回复 再次感谢博主

    1. Orange Canada Google Chrome Mac OS

      自签名证书在客户端是无法不安装证书的。不论是通过 Profile 安装也好网页直接下载证书文件安装也好,服务端证书是必须安装的。

发表评论