StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.
1. Installation
The base installation of StrongSwan on Debian/Ubuntu is straightforward. Using the swanctl
approach for declarative configuration is recommended.
# Installation of required strongSwan packages
apt-get install strongswan strongswan-pki strongswan-swanctl charon-systemd
Critical Host Configuration: IP Forwarding
Since the VPN host functions as a gateway, activating IP forwarding (routing) is mandatory.
# Enable IP forwarding:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
2. Certificate Infrastructure (CA)
The choice of cryptographic algorithm is crucial for ChromeOS compatibility. While ED25519 is supported by StrongSwan, ECDSA certificates were found to be necessary for client importability into ChromeOS.
Certificate Authority (CA)
The CA should ideally be created on a secured system that does not have direct internet exposure.
# Create the ECDSA key for the CA
pki --gen --type ecdsa --outform pem > ca.key
# Create the CA Cert with a lifetime of 10 years. [The values for C=, O= and CN= must be replaced.]
pki --self --ca --lifetime 3652 --in ca.key --dn "C=DE, O=jeanbruenn.info, CN=jeanbruenn Root CA" --outform pem > ca.crt
# Optional: Create a Certificate Revocation List (CRL)
pki --signcrl --cacert ca.crt --cakey ca.key --lifetime 30 > strongswan.crl
Gateway and Client Certificates
The Gateway certificate is used on the VPN server; an ED25519 key is suitable for this purpose. For the Chromebook client, an ECDSA key is required for successful browser import.
Gateway Setup: The Gateway certificate must be issued with the serverAuth
flag.
# Generate the ED25519 key for the gateway
pki --gen --type ed25519 --outform pem > vpn1.key
# Sign and issue the Gateway certificate
pki --issue --cacert ca.crt --cakey ca.key --type pkcs10 --in vpn1.req --serial 01 --lifetime 1826 --outform pem --flag serverAuth > vpn1.crt
Chromebook Client Setup: The client requires a PKCS#12 file for authentication. ECDSA must be used for the client key to overcome import issues on ChromeOS.
# Generate the ECDSA key for the Chromebook
pki --gen --type ecdsa --outform pem > chromebook.key
# Create the PKCS12 container for client import
openssl pkcs12 -export -inkey chromebook.key -in chromebook.crt -name "chromebook" -certfile ca.crt -caname "jeanbruenn Root CA" -out chromebook.p12
Client Import: The ca.crt
(potentially renamed to .pem
) is added to the Certificate Authorities under chrome://settings/certificates
. The chromebook.p12
is then imported under user certificates.
3. StrongSwan Configuration (swanctl
)
The declarative configuration defines a standard “road warrior” setup with client pools for address assignment.
# /etc/swanctl/conf.d/rw-vpn.conf
connections {
rw {
encap = yes
pools = pool_v4, pool_v6
local {
auth = pubkey
certs = vpn1.crt
id = vpn1.jeanbruenn.info
}
remote {
auth = pubkey
}
children {
rw {
# Local Traffic Selectors: 0.0.0.0/0 and ::/0 enforce Full-Tunnel VPN
local_ts = 0.0.0.0/0,::/0
updown = /usr/lib/ipsec/_updown iptables
}
}
}
}
pools {
pool_v6 {
dns = 2001:4860:4860::8888
addrs = xxxx:xxxx:x:xx:xxxx::x/64
}
pool_v4 {
dns = 8.8.8.8
addrs = 10.8.0.2/24
}
}
4. Advanced Network Troubleshooting (PMTU & NAT)
Operating a full-tunnel VPN requires advanced Linux network tuning to ensure connection stability.
NAT (MASQUERADE Rules)
MASQUERADE rules are used to translate the private VPN addresses to the public IP of the gateway. The policy
clause ensures that only IPsec-tunneled traffic is masked.
# MASQUERADE for IPv4
iptables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE
# MASQUERADE for IPv6
ip6tables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
ip6tables -t nat -A POSTROUTING -o ens7 -j MASQUERADE
PMTU Blackholing Workaround (TCPMSS)
The solution to connection hanging due to PMTU Blackholing is to adjust the MSS (Maximum Segment Size) for TCP SYN packets in the Mangle table.
# Reduces the MSS to prevent PMTU blackholing
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# Disabling PMTU Discovery (as a fallback)
net.ipv4.ip_no_pmtu_disc=1
Sources / See Also
- StrongSwan Documentation. IKEv2 VPN Setup and Configuration Guide.
https://docs.strongswan.org/docs/5.9/config/vpn_setup.html
- StrongSwan Documentation. Creating Certificates with PKI Utility.
https://docs.strongswan.org/docs/5.9/pki/pki-howto.html
- StrongSwan Wiki. Android VPN Client Compatibility and Certificate Issues.
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
- StrongSwan Documentation. Policy-based NAT Traversal (MASQUERADE rules).
https://docs.strongswan.org/docs/5.9/config/routing.html
- Libreswan Project (PMTU). Understanding PMTU Blackholing and the TCPMSS fix.
https://wiki.libreswan.org/wiki/Path_MTU_Discovery_Issues
- OpenSSL Documentation. Creating PKCS#12 (.p12) Bundles.
https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html