Modern operating systems (such as Windows 7 and newer) support the IKEv2 standard. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains <ahref="https://en.wikipedia.org/wiki/Internet_Key_Exchange#Improvements_with_IKEv2"target="_blank">improvements</a> such as Standard Mobility support through MOBIKE, and improved reliability.
Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with:
**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully <ahref="https://github.com/hwdsl2/setup-ipsec-vpn"target="_blank">set up your own VPN server</a>, and (optional but recommended) <ahref="../README.md#upgrade-libreswan"target="_blank">upgraded Libreswan</a> to the latest version. **Docker users, see <a href="https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn" target="_blank">here</a>**.
The <ahref="../extras/ikev2setup.sh"target="_blank">script</a> must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you want to generate certificates for additional VPN clients, just run the script again.
**Note:** If your server (or Docker host) runs Debian or CentOS/RHEL and you wish to enable MOBIKE support, replace `mobike=no` with `mobike=yes` in the command above. **DO NOT** enable this option on Ubuntu systems.
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`.
**Note:** You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. To connect multiple VPN clients simultaneously, you must generate a unique certificate for each.
**Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To revoke a client certificate, follow [these steps](#revoke-a-client-certificate). For other `certutil` usage, read <ahref="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil"target="_blank">here</a>.
Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients.
**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section.
1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates".
1. (Optional) Enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more <ahref="https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048"target="_blank">here</a>.
First, securely transfer `vpnclient.p12` to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain.
First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use:
1. AirDrop, or
1. Upload the files to your device, tap them in the "Files" app, then go to "Settings" and import, or
1. Host the files on a secure website of yours, then download and import them in Mobile Safari.
When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles.
Once successfully connected, you can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server).
## Revoke a client certificate
In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.
1. Check the database, and identify the nickname of the client certificate you want to revoke.
```bash
certutil -L -d sql:/etc/ipsec.d
```
```
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IKEv2 VPN CA CTu,u,u
($PUBLIC_IP) u,u,u
vpnclient-to-revoke u,u,u
```
In this example, we will revoke the certificate with nickname `vpnclient-to-revoke`, issued by `IKEv2 VPN CA`.
1. Find the serial number of this client certificate.
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA"
This Update: Sat Jun 06 22:00:00 2020
CRL Extensions:
```
1. Add the client certificate you want to revoke to the CRL. Here we specify the certificate's serial number in decimal, and the revocation time in GeneralizedTime format (YYYYMMDDhhmmssZ) in UTC.
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA"
This Update: Sat Jun 06 22:02:00 2020
Entry 1 (0x1):
Serial Number:
00:cd:69:ff:74
Revocation Date: Sat Jun 06 22:01:00 2020
CRL Extensions:
```
**Note:** If you want to remove a certificate from the CRL, replace `addcert 3446275956 20200606220100Z` above with `rmcert 3446275956`. For other `crlutil` usage, read <ahref="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil"target="_blank">here</a>.
1. Finally, let Libreswan re-read the updated CRL.
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the <ahref="clients.md"target="_blank">IPsec/L2TP</a> or <ahref="clients-xauth.md"target="_blank">IPsec/XAuth</a> mode.
1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more <ahref="https://github.com/hwdsl2/setup-ipsec-vpn/issues/414#issuecomment-460495258"target="_blank">here</a>.
1. If using the strongSwan Android VPN client, you must <ahref="../README.md#upgrade-libreswan"target="_blank">upgrade Libreswan</a> on your server to version 3.26 or above.
1. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`.
