Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail
Support Center / Setup and use / Linux IKEv2 ProtonVPN tutorial

Linux IKEv2 ProtonVPN tutorial

We are introducing a new way to connect to ProtonVPN services using IKEv2 on Linux machines. This guide is made with our community member help ‘sh4dowb’. It can be used if you prefer the IKEv2 protocol itself or facing network issues using Linux client tool.

This setup guide shows how to configure an IKEv2 connection on Mint 18.3 Sylvia.


 

1. You need to install the necessary packages by opening up the Terminal (CTRL+T) and entering these commands: (It will prompt you for your root password to allow installation, enter it to proceed)

sudo apt-get install strongswan

sudo apt-get install strongswan-extra-plugins
sudo apt-get install libcharon-extra-plugins

Note: depending on your Linux distribution, you might not need all the packages. If the Terminal prompts ‘Unable to locate package’, simply continue without the package.


 

2. Download ProtonVPN certificate and place it in the appropriate directory.

wget https://protonvpn.com/download/ProtonVPN_ike_root.der -O /tmp/protonvpn.der
sudo mv /tmp/protonvpn.der /etc/ipsec.d/cacerts/


 

3. After that, open /etc/ipsec.conf with your favorite text editor (Nano was used for this demonstration) by entering sudo nano /etc/ipsec.conf

This is what you should see:

Delete the text up to ‘Add connections here‘, and enter these parameters:

conn test
 left=%defaultroute
 leftsourceip=%config
 leftauth=eap-mschapv2
 eap_identity=tester
 right=it-01.protonvpn.com
 rightsubnet=0.0.0.0/0
 rightauth=pubkey
 rightid=%it-01.protonvpn.com
 rightca=/etc/ipsec.d/cacerts/protonvpn.der
 keyexchange=ikev2
 type=tunnel
 auto=add

 

Instead of test, add a name to your connection that you will later use.

Instead of tester, enter your IKEv2/OpenVPN username.

Instead of it-01.protonvpn.com, you can choose whatever server you want (except a free one, free servers do not work with IKEv2 connection protocol due to load balancer used on the hostnames)

Then, press Ctrl+X to save, Y to confirm and then hit Enter.


4. Next step is to add credentials to the right directory.

Open /etc/ipsec.secrets with a text editor by entering sudo nano /etc/ipsec.secrets

Then, enter this text:

tester : EAP test123

Where instead of tester, enter your OpenVPN/IKEv2 username and instead of test123 enter your OpenVPN/IKEv2 password.

Then, once again, press Ctrl+X, press Y to save and hit Enter.

After that, you will need to restart the IPSEC serivce by entering sudo ipsec restart


 

5. The setup is over and you can try connecting to your created IKEv2 connection.

To connect to the server, enter sudo ipsec up test

Instead of test, use the name of the connection that you’ve entered in the /etc/ipsec.conf file.

This is what you should see if the connection is set up correctly:

That is it, you are now connected to ProtonVPN services via IKEv2 protocol. If you want to terminate the connection to the server, enter this command:

sudo ipsec down test

(Instead of test us the name of your connection)

 

Post Comment

16 comments

  1. ichag

    Did it! Works for me, following the tutorial.
    When you change the config or the secrets file you have to restart ipsec.

  2. Shadowstreik

    checking certificate status of “CN=us-nj-02.protonvpn.com”
    certificate status is not available
    using trusted ca certificate “C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA”
    checking certificate status of “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    certificate status is not available
    reached self-signed root ca with a path length of 1
    authentication of ‘us-nj-02.protonvpn.com’ with RSA_EMSA_PKCS1_SHA2_256 successful
    server requested EAP_IDENTITY (id 0x00), sending ‘XXXXXXXX’
    generating IKE_AUTH request 2 [ EAP/RES/ID ]
    sending packet: from 192.168.XXX.XXX[4500] to 67.202.83.122[4500] (96 bytes)
    received packet: from 67.202.83.122[4500] to 192.168.XXX.XXX[4500] (96 bytes)
    parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
    server requested EAP_MD5 authentication (id 0x01)
    no EAP key found for hosts ‘XXXXXXXX’ – ‘us-nj-02.protonvpn.com’
    EAP_MD5 method failed
    generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
    sending packet: from 192.168.XXX.XXX[4500] to 67.202.83.122[4500] (80 bytes)
    establishing connection ‘XXXXXXXX’ failed

  3. ProtonVPN Team

    Hello, we suggest contacting our customer support team with issues like this so we could solve them since we will need more information. https://protonvpn.com/support-form

  4. Shadowstreik

    Tried on a Raspberry Pi using the x86 Stretch – Works without issue.
    =HOWEVER=
    Linux Mint 19 results after successfully setting up…
    ————————————————–
    initiating IKE_SA xxxxxxxx[2] to 67.202.83.122
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from 192.168.x.xxx[500] to 67.202.83.122[500] (880 bytes)
    received packet: from 67.202.83.122[500] to 192.168.x.xxx[500] (38 bytes)
    parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    peer didn’t accept DH group CURVE_25519, it requested MODP_2048
    initiating IKE_SA xxxxxxxx[2] to 67.202.83.122
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from 192.168.x.xxx[500] to 67.202.83.122[500] (1104 bytes)
    received packet: from 67.202.83.122[500] to 192.168.x.xxx[500] (464 bytes)
    parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    local host is behind NAT, sending keep alives
    sending cert request for “C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA”
    no IDi configured, fall back on IP address
    establishing CHILD_SA xxxxxxxx{2}
    generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    sending packet: from 192.168.x.xxx[4500] to 67.202.83.122[4500] (320 bytes)
    received packet: from 67.202.83.122[4500] to 192.168.x.xxx[4500] (1236 bytes)
    parsed IKE_AUTH response 1 [ EF(1/3) ]
    received fragment #1 of 3, waiting for complete IKE message
    received packet: from 67.202.83.122[4500] to 192.168.x.xxx[4500] (1236 bytes)
    parsed IKE_AUTH response 1 [ EF(2/3) ]
    received fragment #2 of 3, waiting for complete IKE message
    received packet: from 67.202.83.122[4500] to 192.168.x.xxx[4500] (644 bytes)
    parsed IKE_AUTH response 1 [ EF(3/3) ]
    received fragment #3 of 3, reassembling fragmented IKE message
    parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
    received end entity cert “CN=us-nj-02.protonvpn.com”
    received issuer cert “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    using certificate “CN=us-nj-02.protonvpn.com”
    using untrusted intermediate certificate “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    checking certificate status of “CN=us-nj-02.protonvpn.com”
    certificate status is not available
    using trusted ca certificate “C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA”
    checking certificate status of “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    certificate status is not available
    reached self-signed root ca with a path length of 1
    authentication of ‘us-nj-02.protonvpn.com’ with RSA_EMSA_PKCS1_SHA2_256 successful
    server requested EAP_IDENTITY (id 0x00), sending ‘ragnar.household’
    generating IKE_AUTH request 2 [ EAP/RES/ID ]
    sending packet: from 192.168.x.xxx[4500] to 67.202.83.122[4500] (96 bytes)
    received packet: from 67.202.83.122[4500] to 192.168.x.xxx[4500] (96 bytes)
    parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
    server requested EAP_MD5 authentication (id 0x01)
    no EAP key found for hosts ‘XXXXXXXX’ – ‘us-nj-02.protonvpn.com’
    EAP_MD5 method failed
    generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
    sending packet: from 192.168.x.xxx[4500] to 67.202.83.122[4500] (80 bytes)
    establishing connection ‘xxxxxxxx’ failed
    ————————————————-

  5. ProtonVPN Team

    Hello! It would be the best if you contacted our customer support team in the first place! It seems that there is authentication issue or could be something wrong with certificates. Please let our team know here for further troubleshooting https://protonvpn.com/support-form

  6. shadowstreik

    pi@rahbrd1:~ $ sudo ipsec up name
    unable to resolve it-ch-13.protonvpn.com, initiate aborted
    tried to checkin and delete nonexisting IKE_SA
    establishing connection ‘name’ failed

  7. ProtonVPN Team

    Hello! Its hard to tell something about your current issue since we need more information, so please contact our customer support team. https://protonvpn.com/support-form

  8. anynon

    Verbose. No listing of servers. Still too clunky to be user friendly.

  9. ProtonVPN Team

    Hello, then please try using our Linux client tool. https://protonvpn.com/support/linux-vpn-tool/

  10. Kustaa

    It did not work.
    sudo ipsec up ZZZZ gave:

    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
    sending packet: from 192.168.0.161[500] to 185.159.157.8[500] (1124 bytes)
    received packet: from 185.159.157.8[500] to 192.168.0.161[500] (38 bytes)
    parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
    peer didn’t accept DH group MODP_2048, it requested ECP_256

  11. ProtonVPN Team

    Hello! You seem to have missconfigured while following the guide, could you please retry and if no luck upon connecting, contact our customer support team. https://protonvpn.com/support-form

  12. nada

    I just gave it a try because using “openvpn” from the command line was giving me trouble. Everything worked fine but I’m still not sure what the exact benefit is supposed to be vs. other options (client, etc.)…

  13. ProtonVPN Team

    Hello, This connection method could provide better connection speeds or could connect you if the openvpn ports are blocked on your network.

  14. nothing

    Ok tried this, on slackware 14.2
    I am getting EAP_authentication error.
    root@cunted:~# ipsec up PVPN
    initiating IKE_SA PVPN[4] to ~.~.~>~
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from ~.~.~>~[500] to ~.~.~>~[500] (768 bytes)
    received packet: from ~.~.~>~[500] to ~.~.~>~[500] (264 bytes)
    parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    local host is behind NAT, sending keep alives
    sending cert request for “C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA”
    no IDi configured, fall back on IP address
    establishing CHILD_SA PVPN{4}
    generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    sending packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (306 bytes)
    received packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (1248 bytes)
    parsed IKE_AUTH response 1 [ EF(1/3) ]
    received fragment #1 of 3, waiting for complete IKE message
    received packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (1248 bytes)
    parsed IKE_AUTH response 1 [ EF(2/3) ]
    received fragment #2 of 3, waiting for complete IKE message
    received packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (580 bytes)
    parsed IKE_AUTH response 1 [ EF(3/3) ]
    received fragment #3 of 3, reassembling fragmented IKE message
    parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
    received end entity cert “CN=nl-04.protonvpn.com”
    received issuer cert “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    using certificate “CN=nl-04.protonvpn.com”
    using untrusted intermediate certificate “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    checking certificate status of “CN=nl-04.protonvpn.com”
    certificate status is not available
    using trusted ca certificate “C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA”
    checking certificate status of “C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1”
    certificate status is not available
    reached self-signed root ca with a path length of 1
    authentication of ‘nl-04.protonvpn.com’ with RSA_EMSA_PKCS1_SHA2_256 successful
    server requested EAP_IDENTITY (id 0x00), sending ‘THISISNTMYREALUSERNAME’
    EAP_IDENTITY not supported, sending EAP_NAK
    generating IKE_AUTH request 2 [ EAP/RES/NAK ]
    sending packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (67 bytes)
    received packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (65 bytes)
    parsed IKE_AUTH response 2 [ EAP/FAIL ]
    received EAP_FAILURE, EAP authentication failed
    generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
    sending packet: from ~.~.~>~[4500] to ~.~.~>~[4500] (65 bytes)
    establishing connection ‘PVPN’ failed

  15. ProtonVPN Team

    Hello, it simple seems to be an authentication issue, are you sure that you are using the OpenVPN/IKEv2 credentials and not the ones that you use to log in to our website? If so, please contact our customer support team! https://protonvpn.com/support-form

  16. nothing

    anyone tried this yet ?

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure Your Internet Today

Get ProtonVPN