A compact Strongswan IKEv2 VPN container image based on
bitnami/minideb base image.
By default, the minimum configuration is CNSA Suite compliant.
This image is available as docker.io/aeron/ikev2-strongswan-vpn
and ghcr.io/Aeron/ikev2-strongswan-vpn. You can use them both
interchangeably.
docker pull docker.io/aeron/ikev2-strongswan-vpn
# …or…
docker pull ghcr.io/aeron/ikev2-strongswan-vpnRun a container with the --privileged flag:
docker run -d --privileged --name ikev2-vpn --restart=unless-stopped \
-p 500:500/udp \
-p 4500:4500/udp \
aeron/ikev2-strongswan-vpn:latestOr, it is always possible to run it only with the NET_ADMIN capability:
docker run -d --name ikev2-vpn --restart=unless-stopped \
--cap-add net_admin \
-p 500:500/udp \
-p 4500:4500/udp \
aeron/ikev2-strongswan-vpn:latestNote
In this case, related kernel parameters setup must be set before.
The LOGGING_MODE environment variable could be convenient for setting a different
logging level. It accepts the following values:
zerofor almost silent logging;lessfor only necessary info;somefor standard logging and errors.
Unset value behaves as some, yet adds debugging for cfg, ike, and net
subsystems.
For finer tuning better to mount a custom /etc/strongswan.conf.
The entrypoint script supports the following commands and parameters:
Usage: /entrypoint.sh [COMMAND [NAME]]
Commands:
add-psk Add a new PSK credential
get-psk Print a secret for a PSK credential
del-psk Delete a PSK credential
set-psk-id Enforce an ID usage for a PSK credential
profile-psk Print a PSK device management profile for macOS/iOS
[requires: $HOST]
start Start the charon-systemd
[default]
Parameters:
NAME A desired PSK credential name
[default: "default"]
To add, get, or delete a pre-shared key, use the following command pattern:
docker run -it --rm --volumes-from ikev2-vpn \
aeron/ikev2-strongswan-vpn:latest \
COMMAND [NAME]
# …or…
docker exec -it ikev2-vpn /entrypoint.sh COMMAND [NAME]Supported commands and parameters are described above.
If you are running the image for the first time and only need a single default credential, then do this:
docker run -it --rm --volumes-from ikev2-vpn \
aeron/ikev2-strongswan-vpn:latest \
add-psk
docker run -it --rm --volumes-from ikev2-vpn \
aeron/ikev2-strongswan-vpn:latest \
get-psk
# …or…
docker exec -it ikev2-vpn /entrypoint.sh add-psk
docker exec -it ikev2-vpn /entrypoint.sh get-pskIt will create a new PSK credetial and display it. If you want a one-click solution instead, then check out the profile section.
It is possible to save/restore pre-shared keys by mounting the /etc/swanctl/conf.d
directory. For example:
docker run -d --name ikev2-vpn --restart=unless-stopped \
--cap-add net_admin \
-p 500:500/udp \
-p 4500:4500/udp \
-v /your/local/path:/etc/swanctl/conf.d:rw \
aeron/ikev2-strongswan-vpn:latestSimply replace the /your/local/path with a desired directory path.
There is an auto-migration support for prior-swanctl deployments.
If PSK credentials are still stored in /etc/ipsec.secrets, entrypoint script will
try to migrate them to separate /etc/swanctl/conf.d/psk-*.conf files.
While existing /etc/ipsec.secrets will not be touched, it is better to manually
remove it at some point. Before you decide to do so, ensure that both credential
volumes are mounted at the same time. It might look like so:
docker run -d --name ikev2-vpn --restart=unless-stopped \
--cap-add net_admin \
-p 500:500/udp \
-p 4500:4500/udp \
-v /path/to/old/ipsec.secrets:/etc/ipsec.secrets:ro \
-v /path/to/new/config/dir:/etc/swanctl/conf.d:rw \
aeron/ikev2-strongswan-vpn:latestIt will guarantee you have a migrated configuration safely stored.
Important
Before removing an older configuration, verify that secrets in both configurations are the same.
Note
If you already migrated a configuration but do not want to remove or unmount
/etc/ipsec.secrets yet, it is possible to disable auto-migration, by unsetting
the IPSEC_AUTO_MIGRATE environment variable.
Important
The resulting /etc/swanctl/conf.d/psk-*.conf files will not include IKE-PSK ID
fields because profiles compiled before version 23.0 never strictly
addressed the remote ID field. So a client’s remote ID will be treated as %any.
To generate a .mobileconfig file for macOS/iOS, run the following:
docker run -it --rm --volumes-from ikev2-vpn \
-e HOST=example.com \
aeron/ikev2-strongswan-vpn:latest \
profile-psk > ikev2-vpn.mobileconfig
# …or…
docker exec -it \
-e HOST=example.com \
ikev2-vpn \
/entrypoint.sh profile-psk > ikev2-vpn.mobileconfigReplace the example.com with the desired domain name; an IP address may be used
instead as well. The HOST environment variable is required.
If there is a need to identify different clients, then LOCAL_ID value could be
supplied:
docker run -it --rm --volumes-from ikev2-vpn \
-e HOST=example.com \
-e LOCAL_ID=john.example.com \
aeron/ikev2-strongswan-vpn:latest \
profile-psk > ikev2-vpn.mobileconfig
# …or…
docker exec -it \
-e HOST=example.com \
-e LOCAL_ID=john.example.com \
ikev2-vpn \
/entrypoint.sh profile-psk > ikev2-vpn.mobileconfigUsually, the LOCAL_ID should be an IP address, FQDN, UserFQDN, or ASN1DN, but a
simple name suits as well.
Important
The LOCAL_ID (or a combo of local and remote identifiers) must be unique for
each simultaneous connection.
Copy the resulting ikev2-vpn.mobileconfig file on a macOS machine, then add it by
double-clicking. Or transfer it on an iOS device via AirDrop. Also, it can be stored
in iCloud Files and added from there.
To install it, search “Profile” in the device settings. It will display all profiles waiting for installation. Proceed from there: click on a profile, then click an “install” button, and authorize it. As a result, there must be a new VPN added with a familiar name.
To remove a VPN service, search “Profile” in a device settings, then delete a previously installed profile.
To avoid reproducing excessive profiles and VPN services on a device, profile/service
UUIDs can be saved/restored by mounting volumes /profile.uuid and /service.uuid,
like so:
docker run -it --rm --volumes-from ikev2-vpn \
-e HOST=example.com \
-v /path/to/profile.uuid:/profile.uuid \
-v /path/to/service.uuid:/service.uuid \
aeron/ikev2-strongswan-vpn:latest \
profile-psk > ikev2-vpn.mobileconfig
# …or…
docker exec -it \
-e HOST=example.com \
-v /path/to/profile.uuid:/profile.uuid \
-v /path/to/service.uuid:/service.uuid \
ikev2-vpn \
/entrypoint.sh profile-psk > ikev2-vpn.mobileconfigIt will generate new UUIDs once and re-use them next time.
Note
Such volumes also can be mounted for a main container somewhat permanently. Then there will be no need to specify it for the profile compilation.
If a container was never run in privileged mode and such an approach is undesirable, then run the following first:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.eth0.proxy_ndp=1Or put a config in /etc/sysctl.d/ permanently, like so:
echo net.ipv4.ip_forward=1 | sudo tee /etc/sysctl.d/network-tune.conf
echo net.ipv6.conf.all.forwarding=1 | sudo tee /etc/sysctl.d/network-tune.conf
echo net.ipv6.conf.eth0.proxy_ndp=1 | sudo tee /etc/sysctl.d/network-tune.confOr use --sysctl options to specify it at runtime:
docker run -d --name ikev2-vpn --restart=unless-stopped \
--cap-add net_admin \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv6.conf.all.forwarding=1 \
--sysctl net.ipv6.conf.eth0.proxy_ndp=1 \
-p 500:500/udp \
-p 4500:4500/udp \
aeron/ikev2-strongswan-vpn:latestRunning container logs may contain something similar to this:
ip6tables-restore: unable to initialize table 'nat'
Probably, Docker does not load a proper kernel module for IPv6 NAT, so it will be
necessary to run modprobe first:
sudo modprobe ip6table_natOr simply put a config in /lib/modules-load.d/ permanently, like so:
echo ip6table_nat | sudo tee /lib/modules-load.d/ip6table-nat.confDocker has IPv6 support out-of-the-box, but it needs to be enabled manually in daemon configuration and a network created afterward. More on this in the official Docker documentation.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}