This is a complete, start-to-finish guide to setting up a strongSwan IKEv2 server on Ubuntu 22.04 that is fully compatible with your Android phone's built-in client.
Step 1: System Update and Installation
First, we need the main server software and the extra plugins that allow Android to talk to Ubuntu.
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins -y
Step 2: Generate PKI Certificates
This is the "identity card" for your server. Without this, your Android phone will reject the connection for security reasons.
1. Create the Certificate Authority (CA):
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/ca-key.pem
ipsec pki --self --ca --lifetime 3650 --in ~/ca-key.pem \
--type rsa --dn "CN=VPN CA" --outform pem > ~/ca-cert.pem
2. Create the Server Certificate:
Replace YOUR_SERVER_IP with your actual public IP address in both places below.
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/server-key.pem
ipsec pki --pub --in ~/server-key.pem --type rsa | \
ipsec pki --issue --lifetime 3650 --cacert ~/ca-cert.pem \
--cakey ~/ca-key.pem --dn "CN=YOUR_SERVER_IP" \
--san YOUR_SERVER_IP --flag serverAuth --outform pem > ~/server-cert.pem
3. Move them to the correct system folders:
sudo cp ~/ca-cert.pem /etc/ipsec.d/cacerts/
sudo cp ~/server-cert.pem /etc/ipsec.d/certs/
sudo cp ~/server-key.pem /etc/ipsec.d/private/
Step 3: Configure strongSwan (ipsec.conf)
Open the main configuration file: sudo nano /etc/ipsec.conf
Delete everything inside and paste this:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=yes
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
# Server side
left=%any
leftid=YOUR_SERVER_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
# Client (Android) side
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8, 8.8.4.4
eap_identity=%identity
Step 4: Configure Credentials (ipsec.secrets)
Open the secrets file: sudo nano /etc/ipsec.secrets
Add these lines:
: RSA "server-key.pem"
your_username : EAP "your_password"
Step 5: Networking (Forwarding & NAT)
1. Enable Packet Forwarding:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
2. Configure UFW NAT:
Open /etc/ufw/before.rules. Above the *filter line, add:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT(Ensureeth0matches your interface name fromip route).
3. Open Firewall Ports:
sudo ufw allow 500/udp
sudo ufw allow 4500/udp
sudo ufw restart
sudo ipsec restart
Step 6: Connect Your Android Phone
Transfer the CA: Get
~/ca-cert.pemonto your phone.Install it: Go to Settings > Security > Advanced > Encryption & Credentials > Install a certificate > CA certificate.
Add VPN Profile:
Type: IKEv2/IPSec MSCHAPv2
Server Address: Your Server IP
IPSec Identifier: Your Server IP
CA Certificate: Select the "VPN CA" you just installed.
Username/Password: Use the ones from
ipsec.secrets.
How to Build an IKEv2 VPN Server for Android (Ubuntu 22.04)
This guide walks you through setting up a strongSwan VPN server that is natively compatible with Android's built-in IKEv2/IPSec MSCHAPv2 client.
Step 1: Install Dependencies
Update your system and install strongSwan along with the EAP plugins required for Android authentication.
sudo apt update && sudo apt upgrade -y sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins -y
Step 2: Generate PKI Certificates
The server needs a Certificate Authority (CA) and a Server Certificate to prove its identity to your phone.
# 1. Create CA Key and Certificate ipsec pki --gen --type rsa --size 4096 --outform pem > ~/ca-key.pem ipsec pki --self --ca --lifetime 3650 --in ~/ca-key.pem --type rsa --dn "CN=VPN CA" --outform pem > ~/ca-cert.pem # 2. Create Server Key and Certificate # REPLACE YOUR_SERVER_IP with your actual server IP ipsec pki --gen --type rsa --size 4096 --outform pem > ~/server-key.pem ipsec pki --pub --in ~/server-key.pem --type rsa | ipsec pki --issue --lifetime 3650 --cacert ~/ca-cert.pem --cakey ~/ca-key.pem --dn "CN=YOUR_SERVER_IP" --san YOUR_SERVER_IP --flag serverAuth --outform pem > ~/server-cert.pem # 3. Move to system directories sudo cp ~/ca-cert.pem /etc/ipsec.d/cacerts/ sudo cp ~/server-cert.pem /etc/ipsec.d/certs/ sudo cp ~/server-key.pem /etc/ipsec.d/private/
Step 3: Configure strongSwan (ipsec.conf)
Edit /etc/ipsec.conf and replace its content with the following (update the IP address!):
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids=yes
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=YOUR_SERVER_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8, 8.8.4.4
eap_identity=%identity
Step 4: Set Credentials (ipsec.secrets)
Define your server key and user login in /etc/ipsec.secrets:
: RSA "server-key.pem" your_username : EAP "your_password"
Step 5: Networking & Firewall
Enable IP forwarding and set up NAT so the VPN has internet access.
# Enable Forwarding echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p # Open Ports sudo ufw allow 500/udp sudo ufw allow 4500/udp
Add the NAT rule to the top of /etc/ufw/before.rules (above *filter):
*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT
ca-cert.pem to your phone and install it as a "CA Certificate" in settings before connecting!
No comments:
Post a Comment