Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6

August 23, 2012 at 10:21 AM | categories: Centos, Mac OS X, Howto, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View Comments


This howto describes setting up an IPSEC VPN for use with the Iphone, Ipad and Mac OSX VPN clients on Centos/RHEL 6. I am using the 5.x branch of Strongswan which is now the mainline actively maintained branch. At the time of writing the 5.x EPEL package was only available in the testing repo.

The configuration should work both with NAT and without NAT on both sides, if you are NATing on the server side make sure your forward UDP 500 and 4500 to the machine running strongswan.

This howto uses example.org and and networks for illustration purposes, you need to change these to suit your own setup.


To access the EPEL packages you need to enable the EPEL repo. You are then able to install the strongswan package.

yum install --enablerepo=epel-testing strongswan

Create the required configuration directories

mkdir -p /etc/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private}


Create a CA

For RSA authentication you need to setup a CA which will issue the certificates to be used by the server and the clients.

cd /etc/pki/tls/misc
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem

Install to strongswan directories

ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/

Create the server certificate

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

For DNS name set it to


For IP address set it to


Now generate and sign the server certitifcate

./CA -newreq
./CA -sign

Install to strongswan directories.

mv newcert.pem /etc/strongswan/ipsec.d/certs/vpn.example.org.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/vpn.example.org.key

Add the private key password to /etc/strongswan/ipsec.secrets

: RSA vpn.example.org.key "p4ssw0rd"

Create the client certificate

This is the certificate that will be used by you VPN clients ie Ipad/Iphone, edit the openssl.cnf and comment out the subjectAltName attribute setting.

Now generate and sign the client certificate, do this for all the clients you expect to use.

./CA -newreq
./CA -sign
openssl pkcs12 -export -in ipad.example.org.pem -inkey ipad.example.org.key \
 -certfile /etc/pki/CA/cacert.pem -out ipad.p12

You now need to import the CA certificate and the client p12 certificate on to the device. You need to download the Iphone configuration utility and use it to import the certificates to your device.

Iphone configuration utility;

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Create strongswan configuration

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default

conn rw-xauth

The above setup assumes the network behind the vpn is and virtual IP addresses will be assigned to VPN clients from the network block.

Enable packet forwarding

If your system is not setup for packet forwarding enable it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/sysctl.conf and set

net.ipv4.ip_forward = 1


Start strongswan.

service strongswan start

Check /var/log/messages and /var/log/secure for any errors.

Ipad configuration

  • Launch Settings then select General > Network > VPN > Add VPN Configuration
  • Toggle VPN type to IPSec

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      ipad.example.org

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Related articles

blog comments powered by Disqus