VPN server for remote clients using IKEv2

There are different methods for providing a VPN server for roaming (dynamic) clients. Which method to use depends on the clients that need to be supported.

This method using IKEv2 without EAP, also called "Machine Certificate" based authentication.

It is known to work with libreswan clients, as well as Microsoft Windows 7 (and later) clients, and possible OSX.

Supported clients:

• libreswan
• Windows 7 and up
• Windows Phone (requires latest firmware)
• OSX ?
• iOS (via profile manager only?)

X.509 Certificate requirements

Special case needs to be taken when generating X.509 certificates for this method.

• The VPN gateway's certificate must have its DNS name as SubjectAltname (SAN) in the certificate
• The VPN gateway's certificate must have EKU serverAuth. It may have EKU clientAuth

ipsec.conf for IKEv2 Machine Certificate VPN server

conn ikev2-cp

   # The server's actual IP goes here - not elastic IPs
   left=1.2.3.4
   leftcert=vpn.example.com
   leftid=@vpn.example.com
   leftsendcert=always
   leftsubnet=0.0.0.0/0
   leftrsasigkey=%cert
   # Clients
   right=%any
   # your addresspool to use - you might need NAT rules if providing full internet to clients
   rightaddresspool=192.168.66.1-192.168.66.254
   # optional rightid with restrictions
   # rightid="C=CA, L=Toronto, O=Libreswan Project, OU=*, CN=*, E=*"
   rightca=%same
   rightrsasigkey=%cert
   #
   # connection configuration
   # DNS servers for clients to use
   modecfgdns1=8.8.8.8
   modecfgdns2=193.110.157.123
   narrowing=yes
   # recommended dpd/liveness to cleanup vanished clients
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   auto=add
   ikev2=insist
   rekey=no
   # ikev2 fragmentation support requires libreswan 3.14 or newer
   fragmentation=yes
   # optional PAM username verification (eg to implement bandwidth quota
   # pam-authorize=yes