How to Set Up a VPN Server with StrongSwan IPsec on RHEL 8

December 27, 2025
Linux
Comment off

StrongSwan is a robust open-source IPsec VPN solution that supports IKEv2 and is well-suited for site-to-site and remote-access VPN deployments. On RHEL 8, StrongSwan is available through the EPEL repository and integrates cleanly with firewalld and the system’s certificate infrastructure. This tutorial walks through installing StrongSwan, generating PKI certificates, configuring an IKEv2 road-warrior VPN, and verifying connectivity. By the end you will have a fully operational VPN server accepting client connections on a RHEL 8 host.

Prerequisites

A RHEL 8 server with a public IP address and root or sudo access
EPEL 8 repository enabled (dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm)
A registered domain name or static IP that VPN clients will connect to
firewalld running and managing the active zone
Basic familiarity with PKI concepts (certificates, private keys, CA)

Step 1 — Install StrongSwan

Enable EPEL if you have not already, then install StrongSwan and its utilities:

dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y strongswan strongswan-libipsec

Verify the installed version:

strongswan version

Step 2 — Generate PKI Certificates

StrongSwan ships the ipsec pki utility for creating a self-signed CA, a server certificate, and client certificates. Create a working directory and generate the keys:

# Create directory structure
mkdir -p /etc/strongswan/pki/{cacerts,certs,private}
chmod 700 /etc/strongswan/pki

# Generate CA private key
ipsec pki --gen --type rsa --size 4096 
  --outform pem > /etc/strongswan/pki/private/ca.key.pem

# Self-sign the CA certificate (10-year validity)
ipsec pki --self --ca --lifetime 3650 
  --in /etc/strongswan/pki/private/ca.key.pem 
  --type rsa --dn "CN=VPN Root CA" 
  --outform pem > /etc/strongswan/pki/cacerts/ca.cert.pem

# Generate server private key
ipsec pki --gen --type rsa --size 4096 
  --outform pem > /etc/strongswan/pki/private/server.key.pem

# Issue server certificate signed by the CA
# Replace YOUR_SERVER_IP_OR_FQDN with your server's address
ipsec pki --pub 
  --in /etc/strongswan/pki/private/server.key.pem 
  --type rsa | 
  ipsec pki --issue --lifetime 1825 
    --cacert /etc/strongswan/pki/cacerts/ca.cert.pem 
    --cakey /etc/strongswan/pki/private/ca.key.pem 
    --dn "CN=YOUR_SERVER_IP_OR_FQDN" 
    --san "YOUR_SERVER_IP_OR_FQDN" 
    --flag serverAuth --flag ikeIntermediate 
    --outform pem > /etc/strongswan/pki/certs/serverCert.pem

Step 3 — Configure IPsec Connection

Edit the main configuration file /etc/strongswan/ipsec.conf to define the IKEv2 road-warrior connection:

cat > /etc/strongswan/ipsec.conf << 'EOF'
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn myvpn
    keyexchange=ikev2
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    left=%defaultroute
    leftid=YOUR_SERVER_IP_OR_FQDN
    leftcert=serverCert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rekey=no
    auto=add
EOF

Now configure the secrets file /etc/strongswan/ipsec.secrets with the server certificate reference and a VPN user credential:

cat > /etc/strongswan/ipsec.secrets << 'EOF'
: RSA serverCert.pem
vpnuser : EAP "StrongPassword123!"
EOF
chmod 600 /etc/strongswan/ipsec.secrets

Step 4 — Enable Kernel IP Forwarding

VPN clients need to route traffic through the server, which requires IP forwarding to be enabled persistently:

# Enable immediately
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0

# Persist across reboots
cat >> /etc/sysctl.d/99-vpn.conf << 'EOF'
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
sysctl -p /etc/sysctl.d/99-vpn.conf

Step 5 — Configure Firewalld

Allow IKE/IPsec traffic and enable masquerading so VPN clients can reach the internet through the server:

# Allow IPsec protocols (IKE UDP 500, NAT-T UDP 4500, ESP)
firewall-cmd --permanent --add-service=ipsec
firewall-cmd --permanent --add-masquerade

# If you want to restrict to a specific zone (e.g., external)
firewall-cmd --permanent --zone=external --add-service=ipsec
firewall-cmd --permanent --zone=external --add-masquerade

firewall-cmd --reload
firewall-cmd --list-all

Step 6 — Start StrongSwan and Verify

Enable and start the StrongSwan service, then confirm the connection definition is loaded:

systemctl enable --now strongswan
systemctl status strongswan

# List loaded connections
ipsec statusall

# View active Security Associations after a client connects
ipsec status
ipsec listcerts

To test, install a native IKEv2 client on another machine, import ca.cert.pem, and connect using the credentials defined in ipsec.secrets. Successful output shows an established IKEv2 SA and assigned virtual IP in the 10.10.10.0/24 range.

Conclusion

You now have a working StrongSwan IKEv2 VPN server on RHEL 8, complete with a self-signed PKI, EAP-MSCHAPv2 user authentication, and firewalld rules that permit IPsec traffic while masquerading client connections. The configuration uses strong cipher suites and a dedicated virtual IP pool for connecting clients. From here you can issue per-client certificates for certificate-based authentication, expand the user database, or front the VPN with a load balancer for high availability.

Next steps: Issuing Per-Client Certificates with StrongSwan PKI, Integrating StrongSwan with LDAP for User Authentication, and Setting Up a High-Availability VPN with Keepalived on RHEL 8.