Overview

This guide walks you through setting up a robust IKEv2 VPN that provides static IP addresses to individual clients. It targets system administrators, developers, and business operators who need predictable VPN addressing for firewall rules, access control lists, logging, or split-tunneling. We’ll use strongSwan on a Linux server (Debian/Ubuntu/CentOS) as the reference implementation, cover certificate-based authentication (recommended) and EAP-based authentication, IP allocation strategies, routing, NAT, DNS push, firewall integration, and client configuration for major OSes.

Why IKEv2 with Static IPs

IKEv2 offers resiliency to network changes (Mobility and Multihoming), built-in NAT traversal, and strong cryptographic choices with minimal handshake overhead. Assigning static IPs to VPN users simplifies:

  • Firewall rules and access control to internal resources
  • Per-user routing and logging
  • Integration with existing IP-based services that require whitelisting

High-Level Architecture

At minimum, you need:

  • A public-facing Linux server with a stable public IP
  • strongSwan installed and configured as an IKEv2 responder
  • PKI (CA + server cert + per-client certs) or EAP credentials for authentication
  • A method to assign static internal addresses: per-client configuration in strongSwan (swanctl.conf) or ipsec.conf
  • Firewall/NAT rules and IP forwarding enabled

Prerequisites and System Preparation

Install strongSwan and basic utilities:

Debian/Ubuntu:

sudo apt update && sudo apt install strongswan strongswan-swanctl libcharon-extra-plugins iptables-persistent

CentOS/RHEL (with EPEL):

yum install epel-release && yum install strongswan iptables-services

Enable IP forwarding and tune kernel settings for VPN performance:

  • Edit /etc/sysctl.conf and set: net.ipv4.ip_forward = 1
  • For IPv6 forwarding if needed: net.ipv6.conf.all.forwarding = 1
  • Apply: sudo sysctl -p

PKI vs EAP Authentication

Use certificates for machine- or server-level authentication and EAP (e.g., EAP-MSCHAPv2) for username/password login. For the strongest security, use both: server certificate + client certificates. If you need per-user static IPs mapped to usernames, EAP credentials mapped to static IPs or client certificates mapped to static IPs both work.

Generating a Simple PKI

strongSwan ships with pki for certificate management. Example (short):

  • Create CA: pki --gen --type rsa --size 4096 --outform pem > caKey.pem
  • Create CA cert: pki --self --in caKey.pem --dn "CN=MyVPN CA" --ca --outform pem > caCert.pem
  • Generate server key and CSR, sign with CA to produce server cert (serverCert.pem)
  • Generate client keys and client certs for each user; keep private keys secure

strongSwan Configuration Strategy

Prefer swanctl.conf (swanctl) configuration for modern strongSwan setups. It supports detailed per-connection and per-client options, including static virtual IPs.

Example swanctl.conf snippets

Global configuration and connection templates (abridged for clarity):

<pre>

connections {

ikev2-static {

local_addrs = 198.51.100.10

local {

certs = serverCert.pem

id = “CN=vpn.example.com”

}

remote {

auth = pubkey

}

children {

net {

local_ts = 0.0.0.0/0

start_action = trap

}

}

}

}

secrets {

file = /etc/swanctl/secrets.conf

}

</pre>

To assign static IPs per client, declare separate connection entries per client or use pools and static mapping via the remote id match. Example approach follows.

Assigning Static IPs per Client

Two common approaches:

  • Dedicated connection block per client: Create a connection entry where remote.id matches a client certificate subject or username and set children.net.local_ts to the static address/route. This is explicit and easy to audit but requires a config entry per user.
  • IP pool with static mapping via RADIUS or VICI: Use a user database (e.g., RADIUS or custom plugin) to assign a specific address on authentication using the VICI interface. This scales better for many users.

Example of explicit per-client mapping (swanctl.conf):

<pre>

connections {

client-alice {

include = ikev2-static

remote_addrs = 0.0.0.0

remote { id = “CN=alice@example.com” }

children {

net {

local_ts = 10.10.10.1/32 # static IP assigned to Alice

start_action = trap

}

}

}

client-bob {

include = ikev2-static

remote { id = “CN=bob@example.com” }

children {

net {

local_ts = 10.10.10.2/32 # static IP for Bob

}

}

}

}

</pre>

Note: local_ts represents the traffic selectors for the local side inside the IPsec SA, effectively advertising a fixed internal IP to the client. Alternatively, use rightsourceip in ipsec.conf-style setups.

IP Routing, NAT and Firewall

Enable NAT if clients must access the Internet through the VPN:

Example iptables for IPv4 forward + MASQUERADE:

<pre>

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -s 10.10.10.0/24 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -d 10.10.10.0/24 -m conntrack –ctstate ESTABLISHED -j ACCEPT

</pre>

Replace eth0 with the external interface name. For per-user firewalling, use the static client IPs to create fine-grained rules.

DNS and Traffic Routing

To push DNS servers to clients, include rightdns in your child SA configuration (swanctl or ipsec.conf). For split-tunneling, configure traffic selectors to only route specific prefixes inside the VPN.

Client Configuration

Brief client steps for common platforms:

Windows 10/11 (IKEv2 built-in)

  • Install client certificate into the user certificate store (if using cert auth).
  • Settings → Network & Internet → VPN → Add a VPN connection.
  • Choose “Windows (built-in)”, Server name or address = public IP or DNS, VPN type = IKEv2.
  • Enter username for EAP or choose certificate for certificate auth.

macOS / iOS

  • Use Profiles (Apple Configurator) or manual Add VPN in Settings → General → VPN (iOS) / Network (macOS).
  • Select IKEv2, use remote ID matching server certificate’s CN, and install client certificate if required.

Android

  • Many Android builds support IKEv2 via “IPsec Xauth PSK/Hybrid” but for proper IKEv2 with certs use third-party apps like strongSwan VPN Client.
  • Import the client certificate or username/password profile in the app and connect.

Monitoring and Troubleshooting

  • Check strongSwan logs: sudo journalctl -u strongswan -f or sudo tail -f /var/log/syslog.
  • Use swanctl --list-sas to view active SAs and traffic selectors.
  • Use ipsec statusall for legacy ipsecctl information on older installs.
  • If IPs are not assigned as expected, verify remote.id matches the client certificate/username and that the child SA traffic selectors advertise the proper local_ts/rightsourceip.

Security Hardening

  • Use modern cryptographic suites (e.g., AES-GCM, SHA2, and ECDH groups like Curve25519).
  • Disable legacy DH groups and weak ciphers.
  • Protect private keys and use an HSM for high-security environments where possible.
  • Rotate certificates and credentials regularly and use short-lived client certificates if possible.
  • Limit management access to the VPN server (SSH firewall rules, 2FA for admin access).

Scaling Considerations

For tens to thousands of clients, consider:

  • Using RADIUS for central authentication and dynamic address assignment.
  • Automated cert issuance (ACME is for TLS, not IKEv2 client certs — use an internal PKI with automation scripts).
  • High availability via active/passive frontends and a shared state store for re-keying (use load balancers and design for client reconnection).

Example: Static IP Mapping via RADIUS

When integrating with RADIUS, return the attribute that sets the IP address (e.g., Framed-IP-Address). strongSwan can honor this via the RADIUS plugin—use a reliable RADIUS server (FreeRADIUS) and configure per-user attributes.

Wrap-Up and Best Practices

Assigning static IPs with IKEv2 gives you deterministic addressing for policy enforcement and auditing. The most maintainable approach for small deployments is per-client connection entries with certificate-based auth. For larger deployments, integrate RADIUS or a backend that can respond dynamically via VICI and manage user-to-IP mappings programmatically.

Always prioritize secure key handling, strong ciphers, and accurate logging. Test client configurations across platforms to ensure the static IP mappings are applied correctly and firewall rules behave as expected.

For more detailed templates, scripts, and professionally maintained guides, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.