StrongSwan VPN: Mastering IKEv2 EAP-TLS and ChromeOS Client Integration

StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.

1. Installation

The base installation of StrongSwan on Debian/Ubuntu is straightforward. Using the swanctl approach for declarative configuration is recommended.

# Installation of required strongSwan packages
apt-get install strongswan strongswan-pki strongswan-swanctl charon-systemd

Critical Host Configuration: IP Forwarding

Since the VPN host functions as a gateway, activating IP forwarding (routing) is mandatory.

# Enable IP forwarding:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1

2. Certificate Infrastructure (CA)

The choice of cryptographic algorithm is crucial for ChromeOS compatibility. While ED25519 is supported by StrongSwan, ECDSA certificates were found to be necessary for client importability into ChromeOS.

Certificate Authority (CA)

The CA should ideally be created on a secured system that does not have direct internet exposure.

# Create the ECDSA key for the CA
pki --gen --type ecdsa --outform pem > ca.key

# Create the CA Cert with a lifetime of 10 years. [The values for C=, O= and CN= must be replaced.]
pki --self --ca --lifetime 3652 --in ca.key --dn "C=DE, O=jeanbruenn.info, CN=jeanbruenn Root CA" --outform pem > ca.crt

# Optional: Create a Certificate Revocation List (CRL)
pki --signcrl --cacert ca.crt --cakey ca.key --lifetime 30 > strongswan.crl

Gateway and Client Certificates

The Gateway certificate is used on the VPN server; an ED25519 key is suitable for this purpose. For the Chromebook client, an ECDSA key is required for successful browser import.

Gateway Setup: The Gateway certificate must be issued with the serverAuth flag.

# Generate the ED25519 key for the gateway
pki --gen --type ed25519 --outform pem > vpn1.key

# Sign and issue the Gateway certificate
pki --issue --cacert ca.crt --cakey ca.key --type pkcs10 --in vpn1.req --serial 01 --lifetime 1826 --outform pem --flag serverAuth > vpn1.crt

Chromebook Client Setup: The client requires a PKCS#12 file for authentication. ECDSA must be used for the client key to overcome import issues on ChromeOS.

# Generate the ECDSA key for the Chromebook
pki --gen --type ecdsa --outform pem > chromebook.key

# Create the PKCS12 container for client import
openssl pkcs12 -export -inkey chromebook.key -in chromebook.crt -name "chromebook" -certfile ca.crt -caname "jeanbruenn Root CA" -out chromebook.p12

Client Import: The ca.crt (potentially renamed to .pem) is added to the Certificate Authorities under chrome://settings/certificates. The chromebook.p12 is then imported under user certificates.

3. StrongSwan Configuration (swanctl)

The declarative configuration defines a standard “road warrior” setup with client pools for address assignment.

# /etc/swanctl/conf.d/rw-vpn.conf

connections {
  rw {
    encap = yes
    pools = pool_v4, pool_v6

    local {
      auth = pubkey
      certs = vpn1.crt
      id = vpn1.jeanbruenn.info
    }

    remote {
      auth = pubkey
    }

    children {
      rw {
        # Local Traffic Selectors: 0.0.0.0/0 and ::/0 enforce Full-Tunnel VPN
        local_ts  = 0.0.0.0/0,::/0
        updown = /usr/lib/ipsec/_updown iptables
      }
    }
  }
}

pools {
   pool_v6 {
      dns = 2001:4860:4860::8888
      addrs = xxxx:xxxx:x:xx:xxxx::x/64
   }
   pool_v4 {
      dns = 8.8.8.8
      addrs = 10.8.0.2/24
   }
}

4. Advanced Network Troubleshooting (PMTU & NAT)

Operating a full-tunnel VPN requires advanced Linux network tuning to ensure connection stability.

NAT (MASQUERADE Rules)

MASQUERADE rules are used to translate the private VPN addresses to the public IP of the gateway. The policy clause ensures that only IPsec-tunneled traffic is masked.

# MASQUERADE for IPv4
iptables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

# MASQUERADE for IPv6
ip6tables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
ip6tables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

PMTU Blackholing Workaround (TCPMSS)

The solution to connection hanging due to PMTU Blackholing is to adjust the MSS (Maximum Segment Size) for TCP SYN packets in the Mangle table.

# Reduces the MSS to prevent PMTU blackholing
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# Disabling PMTU Discovery (as a fallback)
net.ipv4.ip_no_pmtu_disc=1

Sources / See Also

  • StrongSwan Documentation. IKEv2 VPN Setup and Configuration Guide. https://docs.strongswan.org/docs/5.9/config/vpn_setup.html
  • StrongSwan Documentation. Creating Certificates with PKI Utility. https://docs.strongswan.org/docs/5.9/pki/pki-howto.html
  • StrongSwan Wiki. Android VPN Client Compatibility and Certificate Issues. https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
  • StrongSwan Documentation. Policy-based NAT Traversal (MASQUERADE rules). https://docs.strongswan.org/docs/5.9/config/routing.html
  • Libreswan Project (PMTU). Understanding PMTU Blackholing and the TCPMSS fix. https://wiki.libreswan.org/wiki/Path_MTU_Discovery_Issues
  • OpenSSL Documentation. Creating PKCS#12 (.p12) Bundles. https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html