Add to Favourites    Print this Article

How to Connect via IKEv2 on Windows, MacOS, Linux and Mobile Devices

Connecting from Windows 10

First, import the CA (located here) by following these steps:

  1. Press WINDOWS+R to bring up the Run dialogue, and enter  mmc.exe to launch the Windows Management Console.
  2. From the File menu, navigate to Add or Remove Snap-in, select Certificates from the list of available snap-ins, and click Add.
  3. We want the VPN to work with any user, so select Computer Account and click Next.
  4. We're configuring things on the local computer, so select Local Computer, then click Finish.
  5. Under the Console Root node, expand the Certificates (Local Computer) entry, expand Trusted Root Certification Authorities, and then select the Certificates entry:
    Certificates view

  6. From the Action menu, select All Tasks and click Import to display the Certificate Import Wizard. Click Next to move past the introduction.
  7. On the File to Import screen, press the Browse button and select the torguard IKEv2 certificate located here. Then click Next.

  8. Ensure that the Certificate Store is set to Trusted Root Certification Authorities, and click Next.

  9. Click Finish to import the certificate.

Then configure the VPN with these steps:

  1. Launch Setting's, then navigate to Network and Internet.
  2. Click on VPN and then --> Add a VPN Connection.
  3. Select (Windows-Built-in) as the Provider
  4. Connection name - anything you wish
  5. Server Name or Address - has to be a hostname, you can find those on our network page located here.
  6. Select VPN Type: IKEv2
  7. Type of sign-in info: Username and Password
  8. Your TG VPN Username
  9. Enter your TG VPN Password and then click Save.

Your new VPN connection will be visible under "Add a VPN Connection" - Select the VPN and click connect and you'll be connected.

Connecting from macOS

Follow these steps to import the certificate:

  1. Download the IKEv2 Certificate file here - Double-click the certificate file.  Keychain Access will pop up with a dialogue that says "Keychain Access is trying to modify the system keychain. Enter your password to allow this."
  2. Enter your password, then click on Modify Keychain
  3. Double-click the newly imported VPN certificate. This brings up a small properties window where you can specify the trust levels. Set IP Security (IPSec) to Always Trust and you'll be prompted for your password again. This setting saves automatically after entering the password.

Now that the certificate is important and trusted, configure the VPN connection with these steps:

  1. Go to System Preferences and choose Network
  2. Click on the small "plus" button on the lower-left of the list of networks.
  3. In the popup that appears, Set Interface to VPN set the VPN Type to  IKEv2, and give the connection a name.
  4. In the Server field, choose a hostname located here or enter a TG IP - in the Remote ID field, enter * Leave the Local ID blank.
  5. Click on Authentication Settings, select Username, and enter your TorGuard username and password you configured for your VPN user. Then click OK.

Finally, click on *Connect* to connect to the VPN. You should now be connected to the VPN.

Connecting from Ubuntu

To connect from an Ubuntu machine, you can set up and manage StrongSwan as a service or use a one-off command every time you wish to connect. Instructions are provided for both.

Managing StrongSwan as a Service

  1. Update your local package cache: sudo apt update
  2. Install StrongSwan and the related software sudo apt install strongswan libcharon-extra-plugins
  3. Copy the TorGuard IKEv2 CA certificate to the /etc/ipsec.d/cacerts directory: sudo cp /tmp/torguard-ikev2-rootca.pem /etc/ipsec.d/cacerts and CHMOD to 600
  4. Disable StrongSwan so that the VPN doesn't start automatically: sudo systemctl disable --now strongswan
  5. Configure your TorGuard VPN username and password in the /etc/ipsec.secrets file: your_username : EAP "your_password"
  6. Edit the file /etc/ipsec.conf to define your configuration.
config setup

conn ikev2-rw
right=server_domain_or_IP rightsubnet= rightauth=pubkey leftsourceip=%config leftid=username leftauth=eap-mschapv2 eap_identity=%identity auto=start

To connect to the VPN, type:

  • sudo systemctl start strongswan

To disconnect again, type:

  • sudo systemctl stop strongswan

Using a Simple Client for One-Off Connections

  1. Update your local package cache: sudo apt update
  2. Install charon-cmd and related software sudo apt install charon-cmd libcharon-extra-plugins
  3. Move to the directory where you copied the CA certificate: cd <^>/path/to/torguard-ikev2.pem
  4. Connect to the VPN server with charon-cmd using the server's CA certificate, the VPN server's IP address, and the username you configured: sudo charon-cmd --cert torguard-ikev2.pem --host vpn_domain_or_IP --identity your_username
  5. When prompted, provide the VPN user's password.

You should now be connected to the VPN. To disconnect, press CTRL+C and wait for the connection to close.

Connecting from iOS

To configure the VPN connection on an iOS device, follow these steps:

  1. Send yourself an email with the root certificate attached - you can download that here
  2. Open the email on your iOS device and tap on the attached certificate file, then tap Install and enter your passcode. Once it installs, tap Done.
  3. Go to SettingsGeneralVPN and tap Add VPN Configuration. This will bring up the VPN connection configuration screen.
  4. Tap on Type and select IKEv2.
  5. In the Description field, enter a short name for the VPN connection. This could be anything you like.
  6. In the Server and Remote ID field, enter The Local ID field can be left blank.
  7. Enter your TorGuard username and password in the Authentication section, then tap Done.
  8. Select the VPN connection that you just created, tap the switch on the top of the page, and you'll be connected.

Connecting from Android

Follow these steps to import the certificate:

  1. Send yourself an email with the CA certificate attached - you can download that here. Save the CA certificate to your downloads folder.
  2. Download the StrongSwan VPN client from the Play Store.
  3. Open the app. Tap the "more" icon in the upper-right corner (the three dots icon) and select CA certificates.
  4. Tap the "more" icon in the upper-right corner again. Select Import certificate.
  5. Browse to the CA certificate file in your downloads folder and select it to import it into the app.

Now that the certificate is imported into the StrongSwan app, you can configure the VPN connection with these steps:

  1. In the app, tap ADD VPN PROFILE at the top.
  2. Fill out the Server with your VPN server's domain name or public IP address.
  3. Make sure IKEv2 EAP (Username/Password) is selected as the VPN Type.
  4. Fill out the Username and Password with the credentials you defined on the server.
  5. Deselect Select automatically in the CA certificate section and click Select CA certificate.
  6. Tap the IMPORTED tab at the top of the screen and choose the CA you imported (it will be named "VPN root CA").
  7. If you'd like, fill out Profile name (optional) with a more descriptive name.

When you wish to connect to the VPN, click on the profile you just created in the StrongSwan application.

Also Read