The IKEv2 and Clientless SSL VPN options are supported on Linux. The following instructions will help you create and use the VPN option of your choice. For more information on the VPN types, see VPN.
Contents
Using the IKEv2 VPN Option on Linux
The easiest way to use StrongSwan on Linux is using the StrongSwan Network Manager Plugin. Command-line options also exist if you so desire, and instructions are available at https://wiki.strongswan.org.
General instructions are provided for Debian-based distributions. You may adapt these instructions for other distributions, just be aware the packages may be named and arranged differently.
Installation on Debian-based distributions
For recent Debian-based distributions, you will need to install Network Manager's StrongSwan plugin and StrongSwan's eap-identity and eap-mschapv2 plugins.
- With root privileges, install the following packages using your package manager of choice (e.g. Synaptic, apt, apt-get, aptitude, etc):
- network-manager-strongswan
- libstrongswan-extra-plugins
- libcharon-extra-plugins
- libcharon-extauth-plugins
As a concrete example, using sudo for root privilege and apt as the package manager, the following command would install the needed packages:
sudo apt install network-manager-strongswan libstrongswan-extra-plugins libcharon-extra-plugins libcharon-extauth-plugins
If you prefer, it is also possible to download the StrongSwan source code from strongswan.org and compile from source. If you choose this option, remember to also compile and install the eap-identity and eap-mschapv2 plugins. More information is available at https://wiki.strongswan.org.
Configuration on Debian-based distributions
- Open your desktop's Network Manager application and edit it's connections.
- Add a new VPN connection using IPsec-based VPN (strongswan)
- Set the Connection Name to
CAEDM IKEv2 VPN
- Set Gateway: to
vpn.et.byu.edu
- If using the KDE desktop instead of Gnome:
- Set Certificate: to
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem
- Set Certificate: to
- Set Authentication to
EAP
- Enter your Username
- Enter your Password (or leave blank to be prompted when you connect)
- Under Options select only Request an inner IP address and Enforce UDP encapsulation
- Set the Connection Name to
- Click OK
As of Debian Bullseye, leaving the certificate field blank in KDE creates an invalid config, and it will refuse to connect. You will need to specify the "DigiCert High Assurance EV Root CA" as shown above for the time being. The same workaround may be required on other Linux distributions as well. Other desktops are not know to have this problem.
For additional help in installing or configuring StrongSwan Network, consult the wiki at https://wiki.strongswan.org.
Using the Clientless SSL VPN Option on Linux
- Go to https://vpn.et.byu.edu/ using your browser of choice.
- Enter your CAEDM username and password, and then click "Login"