Setting up manual IKEv2 connection on Linux

This guide utilizes the Strongswan packages to manage the IKEv2/IPSec connection to your organization's private gateway(s) on a Linux machine.

Don’t want to manage the VPN setup manually? Download the NordLayer app for Linux, install it, log in, and pick the server or gateway you want to connect to.

This guide covers the basic Debian based guide, however, it should work the same on other distributions.

1. First, make sure you have all the dependencies on your device. You can do that by running the following command:

sudo apt-get update && apt-get upgrade

2. Get the following packages:

sudo apt-get install strongswan libcharon-extra-plugins

Note: For Arch-based distributions and others, you might not have libcharon packages, as they are in the strongswan package. You can just run: pacman -S strongswan and it should be enough.

3. Edit the ipsec.secrets file with your NordLayer service credentials username and password

You can find these service credentials as well as your private gateway hostname on our Downloads page

sudo nano /etc/ipsec.secrets​

4. Change Username with your NordLayer service credentials username and your password with your NordLayer service credentials password

Your password has to be wrapped inside double-quotes. Notice the spaces after Username, after “:” and after EAP.

Once again, use the preferred text editor to enter /etc/ipsec.conf file

Do not forget root privileges since the file is write-protected from anyone except root.

sudo nano /etc/ipsec.conf

6. The following config should be like this:

conn NordLayer
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity="USERNAME"
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=SERVER
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%SERVER
        rightca=/etc/ipsec.d/cacerts/NordLayer.pem
        type=tunnel
        auto=add

Change SERVER to the hostname of your private gateway hostname you are going to use, and USERNAME to your NordLayer service credentials username.
For this guide, we used a gateway in the US - right=us1019.nordlayer.com

8. Enter /etc/strongswan.d/charon/constraints.conf file

sudo nano /etc/strongswan.d/charon/constraints.conf

Inside the file change load = yes to load = no.

9. Download the NordLayer RSA certificate

sudo wget https://downloads.nordlayer.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordLayer.der

sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordLayer.der -out /etc/ipsec.d/cacerts/NordLayer.pem

10. Again, open the Terminal by pressing Ctrl+Alt+T and enter following command to open hosts file:

sudo gedit /etc/hosts

Here at the bottom we will need to add both – Private Gateway IP followed by space and NordLayer server hostname. Then, proceed to “Save Changes.”

11. Now, restart ipsec in order to reload all configuration files

sudo ipsec restart

If you’ve made any typos in /etc/ipsec.conf file you’ll be notified when the service will try to start.

12. After it’s done, you can connect by launching this command:

sudo ipsec up NordLayer

This command should show the output “Connection NordLayer has been established successfully”.

13. To disconnect, simply type:

sudo ipsec down NordLayer

14. If you have any issues with the setup, you can get the logs at this location and send them to our support:

sudo cat /var/log/syslog

Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.