How to setup IKEv2 VPN client | Creekside Networks

Introduction

A virtual private network, or VPN, allows you to securely encrypt traffic as it travels through untrusted networks, such as those at the coffee shop, a conference, or an airport.

IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunneling between the server and client. In IKEv2 VPN implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary, and it handles client hiccups quite smoothly.

In this tutorial, you’ll learn how to set up Windows, macOS, Ubuntu, iOS, and Android clients. Some contents from internet were referenced in writing this tutorial.

Prerequisites

To complete this tutorial, you will need:

Download CA certificate
- If you are one of the Creekside Networks managed service clients，please download the CA certificate creekside .authority.cer to your device first.
Obtain following information from your IT admin
- VPN server’s domain name, such as ‘vpn.creekside.network’;
- Your VPN user ID and password
Download Android client
- Strongswan Android client 2.3.0

Windows 10

Install CA certificate

It takes a little bit time to install a certificate on Windows 10, please follow the slide below.

win10-install-certs-1

1. Search for mmc.exe, and righ click to Run as administrator.

win10-install-certs-2

2. From the File menu, navigate to Add or Remove Snap-in

win10-install-certs-3

3. Select Certificates from the list of available snap-ins, and click Add.

win10-install-certs-4

4. Select Computer Account and click Next.

win10-install-certs-5

5. Select Local Computer, then click Finish.

win10-install-certs-6

6. Back to the home page

win10-install-certs-7

7. Right click Trusted Root Certificate Store, select All Tasks and click Import.

win10-install-certs-8

8. From the Certificate Import Wizard. Click Next to move past the introduction

win10-install-certs-9

9. On the File to Import screen, press the Browse button.

win10-install-certs-10

10. Select the certificate file creekside.authority, and click Open.

win10-install-certs-11

11. Ensure that the Certificate Store is set to Trusted Root Certification Authorities, and click Next.

win10-install-certs-12

12. Click Finish to import the certificate.

Setup VPN connection

Windows has built-in IKEv2 VPN client. Follow the steps below, you may need to fill the server information at step 4.

VPN provider
- Seletct “Windows (build-in)”
Connection name
- Pick a name easy for you to recognize
- You may use alphabets and numbers.
Server name or address
- fill in your VPN server’s domain name
- Don’t use the name in the slides.
- If you don’t have it, check with your IT admin.
VPN Type
- Use “IKEv2”
Type of sign-in info
- “User name and password”
Username
- The username that IT admin sent to you.
Password
- The VPN user’s password

win10-ikev2-conn-1

1. From right of the task bar，click network icon to call out Network and Internet settings。

win10-ikev2-conn-2

2. Click the VPN menu on the left panel.

win10-ikev2-conn-3

3. Select Add a VPN connection on the right panel.

win10-ikev2-conn-4

4. Enter the VPN server details from IT admin. Don't copy samples above。

win10-ikev2-conn-5

5. Your new VPN connection will be visible under the list of networks. Select the VPN and click Connect. You’ll be prompted for your username and password. Type them in, click OK, and you’ll be connected.

Options: Connect to internet via VPN server

These steps are only applicable if you want to use VPN to bypass censorship in some countries, or you are told by your IT admin do so.

win10-use-remote-gateway-1

1. Under your VPN connection, click Change adapter options under Related settings.

win10-use-remote-gateway-2

2. Right click your VPN connection, then select Properties from the drop down menu.

win10-use-remote-gateway-3

3. Choose Network tab, select Internet Protocol Version 4(TCP/IP4), then click Properties

win10-use-remote-gateway-4

4. Click Advanced...

win10-use-remote-gateway-5

5. Make sure Use default gateway on remote network is checked, Unselect Automatic metric, input 1 in the Interface metric value.

Android

Follow these steps to import the certificate:

Send yourself an email with the CA certificate attached. Save the CA certificate to your downloads folder.
Download the StrongSwan VPN client from the Play Store or APK file from our mirror site.
Open the app. Tap the “more” icon in the upper-right corner (the three dots icon) and select CA certificates.
Tap the “more” icon in the upper-right corner again. Select Import certificate.
Browse to the CA certificate file in your downloads folder and select it to import it into the app.

Now that the certificate is imported into the StrongSwan app, you can configure the VPN connection with these steps:

In the app, tap ADD VPN PROFILE at the top.
Fill out the Server with your VPN server’s domain name or public IP address.
Make sure IKEv2 EAP (Username/Password) is selected as the VPN Type.
Fill out the Username and Password with the credentials you defined on the server.
Deselect Select automatically in the CA certificate section and click Select CA certificate.
Tap the IMPORTED tab at the top of the screen and choose the CA you imported (it will be named “VPN root CA” if you didn’t change the “DN” earlier).
If you’d like, fill out Profile name (optional) with a more descriptive name.

When you wish to connect to the VPN, click on profile you just created in the StrongSwan application.

macOS

Follow these steps to import the certificate:

Double-click the certificate file. Keychain Access will pop up with a dialog that says “Keychain Access is trying to modify the system keychain. Enter your password to allow this.”
Enter your password, then click on Modify Keychain
Double-click the newly imported VPN certificate. This brings up a small properties window where you can specify the trust levels. Set IP Security (IPSec) to Always Trust and you’ll be prompted for your password again. This setting saves automatically after entering the password.

Now that the certificate is important and trusted, configure the VPN connection with these steps:

Go to System Preferences and choose Network.
Click on the small “plus” button on the lower-left of the list of networks.
In the popup that appears, Set Interface to VPN, set the VPN Type to IKEv2, and give the connection a name.
In the Server and Remote ID field, enter the server’s domain name or IP address. Leave the Local ID blank.
Click on Authentication Settings, select Username, and enter your username and password you configured for your VPN user. Then click OK.

Finally, click on Connect to connect to the VPN. You should now be connected to the VPN.

iOS

To configure the VPN connection on an iOS device, follow these steps:

Send yourself an email with the root certificate attached.
Open the email on your iOS device and tap on the attached certificate file, then tap Install and enter your passcode. Once it installs, tap Done.
Go to Settings, General, VPN and tap Add VPN Configuration. This will bring up the VPN connection configuration screen.
Tap on Type and select IKEv2.
In the Description field, enter a short name for the VPN connection. This could be anything you like.
In the Server and Remote ID field, enter the server’s domain name or IP address. The Local ID field can be left blank.
Enter your username and password in the Authentication section, then tap Done.
Select the VPN connection that you just created, tap the switch on the top of the page, and you’ll be connected.

Ubuntu

Ubuntu 16.04

First, let’s download source and build the strongswan package:

cd ~
sudo apt-get install -y libssl-dev libglib2.0-dev libnm-dev
wget http://download.strongswan.org/strongswan-5.6.3.tar.bz2
tar xjf strongswan-5.6.3.tar.bz2
cd ~/strongswan-5.6.3
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
   --disable-aes --disable-des --disable-md5 --disable-sha1 
   --disable-sha2 --disable-fips-prf --disable-gmp --enable-openssl \
   --enable-nm --enable-agent --enable-eap-gtc --enable-eap-md5 \
   --enable-eap-mschapv2 --enable-eap-identity
make
sudo make install

And the network-manager GUI plugin

cd ~
sudo apt-get install -y intltool libgtk-3-dev libsecret-1-dev \
  libnma-dev network-manager-dev libnm-util-dev libnm-glib-dev \
  libnm-glib-vpn-dev libnm-gtk-dev

wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.4.4.tar.bz2

tar xjf NetworkManager-strongswan-1.4.4.tar.bz2
cd ~/NetworkManager-strongswan-1.4.4
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib

make
sudo make install

Ubuntu 18.04

First, we need to install strongswan and network manager plugin.

sudo apt install -y strongswan libcharon-extra-plugins network-manager-strongswan

Setup VPN connections

Ok, now client software is ready, we can set up the VPN connections.

Open System Settings, then select Network;
- Ubuntu 16.04:
  - Click the + sign at the left-bottom corner, choice Interface type to VPN, then click Create;
- Ubuntu 18.04
  - Click the + sign at the right side of VPN list.
A VPN connection type dialog box will pop out, choose IPSec/IKEv2 (Strongswan), click Create;
- Now a configuration dialog box will pop out. fill in information as directed below;
  - Name: Any text you like to name the VPN connection
  - Gateway
    - Address: The VPN server’s domain name IT sent to you.
    - Certificate: Browse to choose the certificate file you received.
  - Client
    - Authentication: Select “EAP”
    - Username: Use the userid that is given to you.
    - Password:
      - Click the icon at the end of input box.
      - Select the 2nd option: Store the password for all users.
      - Input your password
  - Options:
    - Make sure you check the “Request an inner IP address”.
    - Optionally you may also check Enforce UDP encapsulation
    - Leave use IP compression unchecked.
  - Cipher Proposals
    - Leave this section blank.
- Finally click the “Add” button to save the configuration.