How to install IPSEC IKEv2 vpn server on CentOS 7 linux

As we are going through demonstrating vpn technologies, we reach to show how to install IPSEC IKEv2 vpn server on CentOS 7 linux.
IKE stands for Internet Key Exchange and is used for security association phase of IPSEC protocol to transfer security attributes either by using preshared key or digital certificate.

Here is our environment:

OS: CentOS 7 on VMWare
Firewall: firewalld
SELinux: enforcing
Server IP address: 192.168.3.128
Client IP address: 192.168.3.132

1- Install libreswan

To install IPSEC IKEv2, we should install libreswan package:

# yum install libreswan

to use cryptographic functions during IKE negotiation, libreswan uses NSS (Network Security Services) database. so we create a new sqlite database for it:

# ipsec initnss

2- Generate Certificates

to encrypt traffic and authenticate users, we should generate three type of certificates. a CA, a server and a client certificate. Here we generate CA certificate:

# certutil -S -x -n "ExampleCA" -s "O=Example,CN=My CA" -k rsa -v 120 -d sql:/etc/ipsec.d -t "CT,," -2

to create private key, you should type randomly on keyboard until it gets completed.
When you got a message to say the process is finished, press Enter.
then if this is a CA certificate, type y for yes.
after that if it asked for a path length constraint, press Enter.
finally when asked if this is a critical extension, type n for no.
Then we must create server certificate. this certificate will be signed by CA certificate that we previously have generated:

# certutil -S -c "ExampleCA" -n "192.168.3.128" -s "O=Example,CN=192.168.3.128" -k rsa -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "192.168.3.128"

Note: Remember to change IP address with your own.
Again, you must do some random typing until the process is finished, at which point you press Enter.
now the process will ask you to do some choose, select choices as below:
0 – Digital signature
2 – Key encipherment
8 – end
When asked if this is a critical extension, type n for no.
when it asked you about extended key usage, select the following in turn:
0 – Server auth
1 – Client auth
8 – end
When asked if this is a critical extension, type n for no.
The last certificate that we must generate is client certificate. here we generate it for client1. do it as follow:

# certutil -S -c "ExampleCA" -n "192.168.3.132" -s "O=Example,CN=192.168.3.132" -k rsa -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "192.168.3.132"

Note: you can change “client1.example.com” with IP address of your client.
same as previous process, you must do random typing until finishing the process.
Enter the key usage and extended key usage choices the same as you did for the server certificate.

3- Transfer certificates to client

to transfer generated certificates to clients, first we create a p12 certificate that contains client certificate, client private key, and CA certificate.

# pk12util -o ~/client1.p12 -n "192.168.3.132" -d sql:/etc/ipsec.d

change the permission to allow transfer it to clients:

# chmod +r ~/client1.p12

Leave the password and password confirmation blank.
Then copy client1.p12 to your client.

4- Create configuration

put the following content in /etc/ipsec.d/ike.conf:

# vim /etc/ipsec.d/ike.conf

conn ike
        left=192.168.3.128
        leftcert=192.168.3.128
        [email protected]
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftrsasigkey=%cert
        right=%any
        rightaddresspool=10.9.0.2-10.9.0.254
        rightca=%same
        rightrsasigkey=%cert
        modecfgdns="8.8.8.8,4.2.2.4"
        narrowing=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        IKEv2=insist
        rekey=no
        fragmentation=yes
        ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024

Note1: Mind SPACES in above configuration

Note2: Remember to change “192.168.3.128” and “leftcert” with your own IP address and certificate name.

5- Start IPsec Service

now we start ipsec service and check if it has started properly:

# systemctl enable ipsec
# systemctl start ipsec
# systemctl status ipsec

6- Configure Firewall

Here we use firewalld service. we need to allow ipsec, forward internal l2tpc ip range traffic to internet interface and do NAT:

# firewall-cmd --permanent --zone=public --add-masquerade
# firewall-cmd --permanent --add-rich-rule='rule protocol value="esp" accept'
# firewall-cmd --permanent --add-rich-rule='rule protocol value="ah" accept'
# firewall-cmd --permanent --add-port=500/udp 
# firewall-cmd --permanent --add-port=4500/udp 
# firewall-cmd --permanent --add-service="ipsec"
# firewall-cmd --reload

if you use CSF, create a file named /etc/CSF/csfpre.sh and put these lines in it:

# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 10.9.0.0/24 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eno16777728 -j MASQUERADE

then reload CSF.
if you use iptables, just run above command and then save changes with iptables-save.
Note: remember to change eno16777728 with your own interface name

6- Configure SElinux

we prefer to keep selinux enabled. so to allow bringing up vpn interfaces, we should run the following command:

# setsebool -P daemons_use_tty 1

if you have disabled SELinux, simply skip above command.
Finally, consult your client OS (windows, linux, Mac, android,iOS, etc…) to know how to import downloaded certificate and then create a vpn connection with IKE/IKEv2 type.