Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan

First, install Strongswan on Ubuntu.
sudo apt-get install strongswan strongswan-plugin-eap-mschapv2 strongswan-plugin-xauth-generic
[info]If you want to compile from source, you need to add this to your configure command:
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
You can use these command to install Strongswan from source:
apt-get install build-essential libssl-dev libgmp-dev
tar xjvf strongswan-5.2.0.tar.bz2; cd strongswan-5.2.0
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-eap-identity --enable-eap-peap --enable-openssl --enable-md4
make & make install
apt-get also suggest some packages, some of them are useful if you want to connect your strongswan with Radius or something else.
Suggested packages:
strongswan-tnc-imcvs network-manager-strongswan strongswan-plugin-agent
strongswan-plugin-certexpire strongswan-plugin-coupling
strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-dnskey
strongswan-plugin-duplicheck strongswan-plugin-error-notify
strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-led
strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pkcs11
strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-soup
strongswan-plugin-unity strongswan-plugin-whitelist strongswan-tnc-client

Now, use

ipsec version

to check if ipsec installd successful

Then, open /etc/ipsec.secrets. If this file not exists, create a new one.
Sudo vim /etc/ipsec.secrets

Write this:
: RSA vpnHostKey.pem
: PSK yourpskhere
user1 : EAP "topsecretpassword"
user1 : XAUTH "topsecretpassword"
user2 : XAUTH "evenmoretopsecretpassword"

For security reasons, please change the password in the file, not just use the one I gave.

By the way, there is a command to reload this file without restart IPSec:
sudo ipsec rereadsecrets

You can use it to flush the secrets after you modify this file.

Then modify system config to fit ip forward:

sudo vim /etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Then set up iptables to enable forward. If you skip this step or make some mistakes, your VPN may can only connect to the server it self or you may lose SSH connection after you start the iptables.
[info]If you have any question, please contact me. wzxjohn#gmail
[info]If you use Debian, you don’t need to use ufw. Just use iptables it self.DO NOT INSTALL ufw!
Just create iptables.up.rules and put “iptables-restore < /etc/iptables.up.rules” in /etc/rc.local.
创建iptables.up.rules文件并把”iptables-restore < /etc/iptables.up.rules” 写入 /etc/rc.local 文件即可。[/info]

sudo vim /etc/iptables.up.rules If the file is not exists, create a new one.

Then put
iptables-restore < /etc/iptables.up.rules
ufw reload

in /etc/rc.local

Now it’s better to restart your VPS now.

If you don’t want to restart, just type
ufw enable
ufw reload

to make sure the iptables rules are working

Now about ipsec config

This is my config file:

I may add some comments later.

This config file has 4 part, defined 3 kinds of VPN: IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1).
这个配置文件包含了4个部分,定义了三种VPN:IKEv2, IKEv2 with EAP, CiscoIPSec(IKEv1)

Save the config file and type ipsec restart in console.
保存配置文件并执行ipsec restart

Then, about the server cert, in the ipsec.config, we defined the file name server.pem.

[info]You can also use Wildcard SSL certs, but you should modify the leftid in the ipsec.conf to @*.your.domain

And the server address must end in your.domain, which means it can be a.your.domain, b.your.domain, c.your.domain etc.
并且服务器域名必须以your.domain结尾,比如a.your.domain, b.your.domain, c.your.domain等等。

So you can use exactly same config file and cert on all of your servers. All you should do is give them different sub domain names.

[warning]The Common Name in the cert must match the leftid and the real server domain name.
证书中所写的Common Name必须与配置中的leftid和真实的服务器域名匹配。

Which means if you want to access your server by a.your.domain, the Common Name in the cert should exactly be a.your.domain or *.your.domain. Any other string is not accept.
也就是说,如果你想用a.your.domain来访问你的服务器,那证书中的Common Name就必须是a.your.domain或者*.your.domain。其余字符都不可以。

And the left id in ipsec.conf should be @a.your.domain or @*.your.domain.
并且ipsec.conf中的leftid必须是@a.your.domain 或者 @*.your.domain

If not, it will cause connection error because of cert don’t match.

[info]I haven’t try about no domain server, according to the documents about config, you may use self-certificate cert and change the leftid in ipsec.conf, and need to install CA cert on your device.

Update 10/10/2014:
Accroding to Justin’s test, if you want to use IP as the server address, you need to follow these three suggestions:

1.When creating server cert, you need to use:
--dn "C=CH, O=strongSwan, CN=Server-IP-Address" \
--san Server-IP-Address \

instead of Server Domain name.

2.About ipsec.conf,the leftid in it should be exactly the server’s ip address, like:
leftid = 123.456.789.123

3.About the mobileconfig file, the RemoteIdentifier should be exactly the server’s ip address, like:

Just rename your domain cert to the name you set and put it in /etc/ipsec.d/certs/, it’s server.pem in this case.

For private key, the file name is defined in ipsec.secrets, as vpnHostKey.pem in this case.

Just rename your own private key to this name and put it in /etc/ipsec.d/private/.

[info]Here server.pem is what we call ssl.crt(SSLCertificateFile) in setting up Apache SSL site.

The vpnHostKey.pem is what we call ssl.key(SSLCertificateKeyFile) or private key for cert.

Then execute ipsec restart than every thing you should do on server side is done.
接下来执行ipsec restart,然后服务端的所有配置就完成了。

Now for mobileconfig file for iOS 8.
然后是给iOS 8使用的配置文件。

This is my mobile config profile:

Please modify the username, password, server address in this profile and than install it on your device. You can use import function in Apple Configurator or just modify it use any text editor.
在使用前请修改用户名,密码,服务器地址,然后把配置文件安装到设备上。你可以使用Apple Configurator的导入功能导入这个配置文件然后修改,也可以直接用任何文本编辑器修改。

[info]Additional information about signed mobile config file. You can use this command to sign your mobileconfig file:

openssl smime \
-sign \
-signer ssl.crt \
-inkey ssl.key \
-certfile ca.pem \
-nodetach \
-outform der \
-in MyProfile.mobileconfig \
-out Myprofile_signed.mobileconfig

[info]ssl.crt can be your domain cert or E-mail cert. ssl.key is the private key of the cert. ca.pem may need to let the device trust your own cert. In file and out file MUST be different!

About self-signed cert, please read this article:

[info]If you want to see more things in IPSec’s log, you can add this in to your ipsec.conf:
charondebug="cfg 2, dmn 2, ike 2, net 2"
then the config file will look like this:
config setup
charondebug = "cfg 2, dmn 2, ike 2, net 2"
uniqueids = no

Now restart ipsec and you will see more things in /var/log/syslog(or /var/log/daemon, /var/log/messages) about your ipsec vpn services.
现在重启ipsec服务,然后你就能在/var/log/syslog(或者 /var/log/daemon, /var/log/messages)中看到关于你的VPN服务的更多信息。

About charondebug, you can find official document hers:

Normally, we just need level 2 log. Level 3 and above write some RAW date in hex which we may not need.
一般情况下我们只需要Level 2的日志。Level 3以上的日志包含一些我们可能不太需要的原始包信息。

After debug your vpn server, you may delete the charondebug line, or your log file’s size will grow very fast.

Levels and Subsystems/Groups
The IKE daemon knows different numerical levels of logging, ranging from -1 to 4:

-1: Absolutely silent
0: Very basic auditing logs, (e.g. SA up/SA down)
1: Generic control flow with errors, a good default to see whats going on
2: More detailed debugging control flow
3: Including RAW data dumps in hex
4: Also include sensitive material in dumps, e.g. keys
Each logging message also has a source from which subsystem in the daemon the log came from:

app: applications other than daemons
asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
cfg: Configuration management and plugins
chd: CHILD_SA/IPsec SA
dmn: Main daemon setup/cleanup/signal handling
enc: Packet encoding/decoding encryption/decryption operations
esp: libipsec library messages
imc: Integrity Measurement Collector
imv: Integrity Measurement Verifier
job: Jobs queuing/processing and thread pool management
knl: IPsec/Networking kernel interface
lib: libstrongwan library messages
mgr: IKE_SA manager, handling synchronization for IKE_SA access
net: IKE network communication
pts: Platform Trust Service
tls: libtls library messages
tnc: Trusted Network Connect


CC BY-NC-SA 4.0 Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan by 桔子小窝 is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

23 thoughts on “Setup IKEv2 On Demand VPN on iOS 8 and IKEv2, IKEv1 Cisco IPSec VPN with Strongswan

          1. p0we7 China Google Chrome Windows

            @Orange :

            我意思是 我国外VPS使用strongswan 部署了一个ikev2的VPN , 然后我想在国内的VPS 使用strongswan来连接我国外的ikev2 的VPN ,那么我应该怎么去配置 。

            这个site-to-site 我也不懂是什么,在google搜的时候这个关键字排序挺高的

  1. frank China Mozilla Firefox Windows

    博主您好 ,十分感谢您的分享。

    我想请教下,使用ikev2协议,ip 自签证书的话,怎样才能做到 ios 客户端不安装证书呢?

    如果使用域名签发证书的话 是可以做到ios客户端不安装证书,但那样的话 会在客户端暴露域名。

    如果购买ca 证书的话 貌似也是需要域名的。。。


    静候回复 再次感谢博主

    1. Orange Canada Google Chrome Mac OS

      自签名证书在客户端是无法不安装证书的。不论是通过 Profile 安装也好网页直接下载证书文件安装也好,服务端证书是必须安装的。