Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

Installing IKEv2 VPN Server with StrongSwan (Ubuntu 22.04)

In this guide, you will learn how to set up a highly secure VPN server using StrongSwan + IKEv2/IPSec on Ubuntu 22.04. You'll create your own CA, sign the server certificate, configure StrongSwan, and connect Windows, macOS, Linux, iOS, and Android clients.

IKEv2; It is a protocol that is fast, stable and resistant to disconnections, especially on mobile devices. It offers built-in support on most platforms.

Technologies Used

-StrongSwan

  • IKEv2/IPSec
  • PKI & Certificate Authority (CA)
  • RSA keys
  • EAP-MSCHAPv2
  • NAT, MASQUERADE, ESP Forwarding
  • UFW and IP forwarding

User Flow

  1. StrongSwan installation
  2. Creating CA and server certificates
  3. ipsec.conf configuration
  4. User authentication
  5. UFW NAT and IP routing settings
  6. Installing CA on clients
  7. Connection testing on different platforms

🖥️ StrongSwan IKEv2 VPN Installation Steps

1. StrongSwan Installation

Update local package list:

sudo apt update

Refreshes the package lists.

Install StrongSwan and PKI tools:


sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

These packages are required for IKEv2 support, authentication, and certificate operations.

2. Creating a Certificate Authority (CA)

Create PKI directories:


mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki

Generate the CA private key:


pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem

Create the CA certificate:


pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \
 --type rsa --dn "CN=GenixNode VPN Kök CA" --outform pem > ~/pki/cacerts/ca-cert.pem

3. Creating a VPN Server Certificate

Generate the server private key:


pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem

Sign the server certificate:


pki --pub --in ~/pki/private/server-key.pem --type rsa \
 | pki --issue --lifetime 1825 \
   --cacert ~/pki/cacerts/ca-cert.pem \
   --cakey ~/pki/private/ca-key.pem \
   --dn "CN=vpn.ornek.com" --san vpn.ornek.com \
   --flag serverAuth --flag ikeIntermediate --outform pem \
 > ~/pki/certs/server-cert.pem

Move the files to the StrongSwan directory:


sudo cp -r ~/pki/* /etc/ipsec.d/

4. StrongSwan Configuration

Back up the default file:


sudo mv /etc/ipsec.conf{,.original}

Open the new file:


sudo nano /etc/ipsec.conf

Add the following configuration:


config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no

    left=%any
    leftid=@vpn.ornek.com
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity

    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384

5. User Authentication

Open the file:


sudo nano /etc/ipsec.secrets

Add:


: RSA "server-key.pem"
vpnkullanici : EAP "gizliSifre123"

Restart the service:


sudo systemctl restart strongswan-starter

6. Firewall and IP Forwarding Settings

Open the required ports:


sudo ufw allow OpenSSH
sudo ufw allow 500,4500/udp

Find the network interface:


ip route show default

UFW NAT rules:


sudo nano /etc/ufw/before.rules

Add at the top:


*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT

Turn on IP forwarding:


sudo nano /etc/ufw/sysctl.conf

Add:


net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/ip_no_pmtu_disc=1

Refresh firewall:


sudo ufw disable
sudo ufw enable

7. Installing the CA Certificate on Clients

View CA certificate:


cat /etc/ipsec.d/cacerts/ca-cert.pem

Copy this and transfer it to your devices as ca-cert.pem.

Supported Platforms

Windows 10/11

macOS

iOS

Android

Ubuntu/Linux distributions

On every device:

Type: IKEv2

Server: vpn.ornek.com

Remote ID: vpn.example.com

Authentication: Username + password

CA certificate: Root CA file

❓ Frequently Asked Questions (FAQ)

1. Why doesn't the connection work without a CA certificate?

The client cannot authenticate the server.

2. What exactly does left / right mean?

left = server (local) right = client (remote)

3. If the connection is established but there is no internet, what is the reason?

Often NAT/MASQUERADE is missing.

4. What can be done if the speed is low?

AES-GCM cipher suites are the fastest compatible option.

5. Can I add multiple users?

Yes. Each line in /etc/ipsec.secrets is a user.

🎯 Result

You have installed a modern, fast and secure IKEv2 VPN with StrongSwan on Ubuntu 22.04. You've created your own CA, signed the server certificate, completed the firewall configuration, and made all client types connectable.

You can instantly test this structure on GenixNode Virtual Instances and deploy your secure VPN infrastructure.