strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH

I prefer strongSwan over Openswan because it’s still in active development, easier to setup and doesn’t require a L2TP daemon. I prefer a simple IKEv1 setup using PSK and XAUTH over certificates. If you plan to share your VPN server with your friends it’s also a lot easier to setup for them without certificates. I haven’t tried the VPN configuration below with non-Apple clients but it works well with iOS and OS X clients. Make sure to use the Cisco IPSec VPN profile, not the L2TP over IPSec profile you need for Openswan. While strongSwan works well with KVM and Xen containers, it probably won’t work with non-virtualised containers like OpenVZ or LXC.

strongSwan 5 has been modularised in Ubuntu 14.04 so we need to install the required plugins using apt-get as well:

apt-get install strongswan strongswan-plugin-xauth-generic

/etc/ipsec.secrets (replace with the server’s public IP address) %any : PSK "replace but leave the quotes"

jan : XAUTH "janspassword"
someone : XAUTH "anotherpassword"


config setup

conn ios

That’s already all we need for strongSwan. Restart it using

service strongswan restart

Make sure to allow IPv4 packet forwarding in /etc/sysctl.conf:


And reload the changes using:

sysctl -p

We also need a NAT rule:

/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

I’m NATing the entire 10/8 for VPN usage and assign different /24’s to different VPN softwares. This way I just need one NAT rule for everything.

Here’s a sample inbound-only firewall script which also covers OpenVPN and Iodine ports:


# Flush old rules, old custom tables
/sbin/iptables --flush
/sbin/iptables --flush -t nat
/sbin/iptables --delete-chain

# Set default policies for all three default chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow VPN forwarding
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -o tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i dns+ -j ACCEPT
/sbin/iptables -A FORWARD -o dns+ -j ACCEPT

# Accept limited inbound ICMP messages
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP
/sbin/iptables -A INPUT -p icmp -j ACCEPT

# All TCP sessions should begin with SYN
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0/0 -j DROP

# Accept inbound TCP packets
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Accept inbound UDP packets
/sbin/iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT

# Accept IPSEC packets
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A INPUT -p 51 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

11 thoughts on “strongSwan 5 based IPSec VPN, Ubuntu 14.04 LTS and PSK/XAUTH

  1. Hi,

    I have followed your guide on setting this up on Ubuntu 14.04 and I’m having an issue with authentication.

    When trying to connect the VPN from my iPhone I get the following error “VPN Connection – User authentication failed.” almost immediately.

    Specifying the wrong secret on the iPhone client yields a longer time-out before a different error, so seems that this has been set correctly.

    auth.log is showing “localhost charon: 01[IKE] is initiating a Main Mode IKE_SA” when trying to connect. There are no other errors showing in this log file when the connection fails to authenticate.

    Is this just a case that I have not specified the xauth user somewhere? I have tried this with two accounts setup on the ubuntu server (including root).

    Any pointers you can provide would be appreciated.

  2. Nate, I accidentally truncated a line in ipsec.secrets. Yes, you’re right, the XAUTH entry was missing. Thanks for the heads up!


  3. Thanks!! added the user details to ipsec.secrets, restarted the strongswan service and I was able to authenticate.

    I’m glad it was something trivial!

    Thanks for the help.

    • guys i dont get how the ipsec.secret should look like ? can u post an working example ?
      btw i have the same error as Nate had

  4. Hi!

    I used your ipsec.conf and when I try to start Strongswan it gave me this error:
    start: Job failed to start

    I then typed ipsec start and I get the following error:
    Starting strongSwan 5.1.2 IPsec [starter]…
    /etc/ipsec.conf:6: syntax error, unexpected FIRST_SPACES [ ]
    unable to start strongSwan — fatal errors in config

    • I had the same problem. Deleting all file contents and just pasting the new configuration into the file solved the problem for me.

  5. Hi,

    I have followed the guide. My andriod phone connects no problems, however once its connected I still can’t ping anything.
    Can’t ping either of the interfaces eth0 (external) or eth1 (internal) and cant ping the phone either. It gets an IP and I can see the rule appear in /var/log/syslog. Any chance you could help?
    I have setup exactly as above…



  6. I followed your easy through instructions all the way. Both my android and ios can connect to the server, however there is no data going through……any directions you wanna point me to? very much appreciated mate.

    • Mike, four things come to mind:
      a) It’s just a DNS problem, ping may be working
      b) MASQUERADE rule issue
      c) Paket forwarding is not enabled
      d) Try iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT as well just to make sure it’s not a firewall issue.

      But other than that, I don’t know.


Leave a Reply

Your email address will not be published. Required fields are marked *