Setting up a VPN (Virtual Private Network) is one of the best ways to protect your internet traffic. IKEv2 is a strong, modern VPN protocol that works fast and stays stable—especially on phones. StrongSwan is free software that helps you run IKEv2 on your own server.
In this guide, I’ll walk you through how I set up an IKEv2 VPN using StrongSwan on my Debian server. It may sound complicated, but I’ll keep things simple and clear. You’ll learn what each part means, what it does, and why it matters.
You don’t need to be a computer genius. If you can follow steps and don’t mind a bit of command-line typing, you’re good to go. I’ve done this a few times myself, and once I understood the basics, it got much easier.
Oh, and don’t worry—no dragons to fight. Just a few config files and one or two “wait, what?” moments.
What Is IKEv2?
IKEv2 stands for Internet Key Exchange version 2. It’s a VPN protocol that creates a secure tunnel between your device and the server.
Here’s why I like IKEv2:
- It’s stable and reconnects fast if your internet drops.
- It works great on phones and laptops.
- It supports strong encryption (that’s just a fancy word for “scrambling your data so others can’t read it”).
What Is StrongSwan?
StrongSwan is a program that lets you create an IKEv2 VPN server. It’s open-source, safe, and works well on Linux. It handles all the hard parts like key exchange, tunneling, and encryption.
So basically, IKEv2 is the method, and StrongSwan is the tool.
What You’ll Need
Before we begin, you’ll need a few things:
- A VPS or dedicated server with Debian 11 or 12
- Root access (so you can make system-level changes)
- A domain name (optional, but helpful for mobile clients)
- Patience (helpful when debugging typos)
Here’s what I used in my own setup:
- Debian 11 VPS from Hetzner
- Domain:
vpn.example.com - IP address:
123.123.123.123
If you’ve got that ready, let’s roll.
Step 1: Update Your Server
First, log in to your server using SSH:
ssh [email protected]
Then, update the system:
apt update && apt upgrade -y
A clean system is a happy system.
Step 2: Install StrongSwan and Dependencies
Now, install the packages you need:
apt install strongswan strongswan-pki libcharon-extra-plugins -y
This installs:
- StrongSwan core
- PKI (for making certificates)
- Extra plugins for things like EAP (used for login)
Step 3: Create VPN Certificates
You need certificates to prove your server is real and to secure your connection.
1. Make a folder to store them:
mkdir -p ~/pki/{cacerts,certs,private}
cd ~/pki
2. Create a certificate authority (CA):
ipsec pki --gen --outform pem > private/ca-key.pem
ipsec pki --self --ca --lifetime 3650 --in private/ca-key.pem \
--type rsa --dn "CN=VPN Root CA" --outform pem > cacerts/ca-cert.pem
This is like saying, “I trust myself to create valid certificates.”
3. Create a certificate for your VPN server:
ipsec pki --gen --outform pem > private/server-key.pem
ipsec pki --pub --in private/server-key.pem --type rsa | \
ipsec pki --issue --lifetime 1825 \
--cacert cacerts/ca-cert.pem \
--cakey private/ca-key.pem \
--dn "CN=vpn.example.com" \
--san "vpn.example.com" \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/server-cert.pem
Replace vpn.example.com with your actual domain name.
Step 4: Move Certificates
Move the certificates to the right place:
cp -r cacerts /etc/ipsec.d/
cp -r certs /etc/ipsec.d/
cp -r private /etc/ipsec.d/
Think of this like putting keys into the right locks.
Step 5: Create VPN Users
Let’s say your username is alice and your password is supersecure.
Add it to /etc/ipsec.secrets:
echo 'alice : EAP "supersecure"' >> /etc/ipsec.secrets
This file is like a secret list of who’s allowed in.
Step 6: Configure StrongSwan
Edit /etc/ipsec.conf and add this:
config setup
charondebug="ike 1, knl 1, cfg 0"
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
This tells StrongSwan how to behave when someone connects.
Step 7: Enable IP Forwarding
Edit /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward=1
Then apply it:
sysctl -p
This lets your server “pass along” traffic from clients.
Step 8: Set Up Firewall (UFW)
Install UFW if you don’t have it:
apt install ufw -y
Allow important ports:
ufw allow ssh
ufw allow 500,4500/udp
ufw enable
Update /etc/ufw/before.rules to allow VPN traffic. Add this before the *filter line:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
Then reload UFW:
ufw disable && ufw enable
Step 9: Start StrongSwan
Restart the service:
systemctl restart strongswan
systemctl enable strongswan
Now your VPN server is ready!
How to Connect from Your Device
On your phone or computer, add a new IKEv2 VPN.
Here’s what you’ll need:
- Server:
vpn.example.com - Username:
alice - Password:
supersecure - CA Certificate: Import the one from
/etc/ipsec.d/cacerts/ca-cert.pem
Try it out. If it connects and you can browse, you did it!
Three Lists to Help You Out
Tools You Used
- ✅ Debian server
- ✅ StrongSwan
- ✅ Terminal and SSH
- ✅ Coffee (optional but nice)
What This Setup Gives You
- ✅ Fast and stable VPN
- ✅ Great mobile support
- ✅ Secure and private tunnel
Possible Errors to Watch For
- ❌ Wrong domain name
- ❌ Port not allowed in firewall
- ❌ Certificate paths not matching
Funny Mistakes I Made
Once, I used the wrong IP in the config. The VPN kept saying “Nope, can’t connect.” Took me an hour to realize I had typed .124 instead of .123.
Another time, I added a semicolon in the config. That broke everything. Computers are picky.
But hey, mistakes teach you fast. You break it, you learn it.
Final Thoughts
Setting up an IKEv2 VPN with StrongSwan on Debian takes some work. But once it’s done, you have a fast, secure, and private way to browse the web. No more relying on sketchy public Wi-Fi. No more wondering if someone’s peeking at your data.
You built it yourself. You control it. And you probably learned a thing or two along the way.
Was it hard? A bit.
Was it worth it? Totally.
