Skip to content

Instantly share code, notes, and snippets.

@wmil

wmil/ivacy-ikev2-debian.md

Last active May 2, 2023 09:25
Show Gist options
  • Save wmil/73041bacb2aee0a1c832a63538d2486a to your computer and use it in GitHub Desktop.
Save wmil/73041bacb2aee0a1c832a63538d2486a to your computer and use it in GitHub Desktop.
Download ZIP
Ivacy IKEv2 on Debian
Raw
ivacy-ikev2-debian.md

Ivacy IKEv2 on Debian

Install strongSwan

sudo apt-get -y update
sudo apt-get -y install strongswan strongswan-libcharon libcharon-extra-plugins

Download Trusted CA

This download URL is found on Comodo.

sudo curl -o /etc/ipsec.d/cacerts/AddTrustExternalCARoot.pem 'https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/853/29'

Configure strongSwan

Please replace [email protected] and MyPasswordOnIvacy with your username and password to Ivacy, usla1 with the VPN server you'd like to connect to.

/etc/ipsec.secrets:

[email protected] : EAP "MyPasswordOnIvacy"

/etc/ipsec.conf:

conn ivacy-usla1
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity="[email protected]"
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=usla1.dns2use.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%*.dns2use.com
        rightca=/etc/ipsec.d/cacerts/AddTrustExternalCARoot.pem
        type=tunnel
        auto=add
        ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes256-sha256,aes256-sha1,3des-sha1!

/etc/strongswan.d/charon/constraints.conf:

constraints {
    load = no
}

Points:

  • [email protected] : EAP "MyPasswordOnIvacy": pay attention to the spaces.
  • rightauth=pubkey: use public-key to authenticate the server.
  • rightid=%*.dns2use.com: the server's certificate must have *.dns2use.com in SubjectAltName. strongSwan does not support wildcard.
  • rightca=...AddTrustExternalCARoot.pem: the server's certificate must be signed by AddTrustExternalCARoot.pem.
  • ike=... and esp=...: the IKE algorithms supported by the server, and we are mimicking an Apple device.

Operate strongSwan

sudo ipsec restart
sudo ipsec on ivacy-usla1
sudo ipsec down ivacy-usla1
ip rule list
ip route list table 220
@mrmorten
Copy link

Finally got it working with Ivacy dedicated IP with forwarding product. To get it working, set mss to 1350, and mtu to 1400 in charon.conf (or /etc/strongswan.d/charon/kernel-netlink.conf). Difference in packet sizes caused only parts of the VPN to work. Using Kernel 6.0.7 (arch linux) and strongswan-ipsec 5.9.8.

ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="debug"

conn ivacy
keyexchange = ikev2
dpdaction=hold
closeaction=hold
dpddelay=300s
leftauth=eap-mschapv2
eap_identity="your-username"
left=%defaultroute
leftsourceip=%config
right=your-ivacy-server.dns2use.com
rightid=%*.dns2use.com
rightca=/etc/ipsec.d/cacerts/USERTrustRSACertificationAuthority.crt
rightsubnet=0.0.0.0/0
type=tunnel
auto=add
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha256,aes256-sha1,3des-sha1!

Download cert from https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html

Also setup /etc/ipsec.secrets :
ivacy-userid : EAP "password"

@EITSxiaozhai
Copy link

Can you share your latest configuration files? The new version has a different way of writing. I'm having problems with the certificate not being validated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment