How to configure StrongSwan IKEv2 VPN with PSK (pre-shared key)?
I'm looking for a configuration instructions for IKEv2 VPN that uses pre-shared keys
instead of certs
(those are different methods for tunnel encryption I'd assume?).
I've followed this wonderful tutorial to get IKEv2 VPN working (with certificate
) and it works.
My question is what needs to be changed so that it would use PSK
instead? I'd assume changes in /etc/ipsec.secrets
and /etc/ipsec.conf
are to be made.
My current ipsec.conf
looks like this:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server_name_or_ip
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
UPD: Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn
Assuming that you want to setup your right side with psk. This is fairly easy.
1. remove eap_identity and rightsendcert fields.
2. set rightauth=secret
Now edit /etc/ipsec.secrets file:
1. remove "your_username %any% : EAP "your_password"" line.
2. add ": PSK <your_password>"
Then reread the secrets and restart the service.
$sudo ipsec rereadsecrets
$sudo ipsec reload
$sudo ipsec restart
All set. Follow "Connecting from iOS" and create a new ikev2 vpn connection. In authentication settings select none and put the shared secret key. Hopefully you connect.
Edit:
Based on the comments, configuration changes required to switch to pre-shared key authentication:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server_name_or_ip
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
authby=secret
Remove the following line from ipsec.secrets:
server_name_or_ip : RSA "/etc/ipsec.d/private/vpn-server-key.pem
Then reread the secrets and restart the service.
Based on my tinkering and @ChandanK answer, I've made two scripts to deploy a StrongSwan VPN server on a fresh Ubuntu 16.04 install here: https://github.com/truemetal/ikev2_vpn