Desktop Linux speaks IKEv2 through strongSwan, and the friendliest way to drive it is the NetworkManager plugin: the VPN shows up next to your Wi-Fi networks, toggled from the system menu.
One setting people miss
With default options the connection authenticates and then fails at the tunnel stage with FAILED_CP_REQUIRED / TS_UNACCEPT. The fix is a single checkbox, Request an inner IP address, covered in step 4. If you’re here because of that error, jump straight to it.
Log out and back in (or sudo systemctl restart NetworkManager) so the new VPN type appears.
Add the VPN connection
Open Settings → Network → VPN → Add, and choose IPsec/IKEv2 (strongswan).
Fill in the server and credentials
Address: the server address from the Servers page IKEv2 tab
Certificate: leave as (None); the server presents a public certificate
Authentication:EAP (Username/Password)
Username / Password: your VPN credentials from the Servers page
Tick “Request an inner IP address”
Open the Options section at the bottom and enable Request an inner IP address. This is the step the default dialog leaves unchecked, and without it the tunnel is rejected after authentication.
Save and connect
Save, then flip the VPN toggle in your system menu.
Verify
From a terminal:
Terminal window
curl-shttps://buyvpn.com/api/ip
If it returns the VPN server’s IP, not yours, you’re tunnelled. IKEv2 is a fast native protocol, so on a good line it barely dents your speed. Here’s a real result through the tunnel on a UK server:
Troubleshooting
Headless server instead?
Without a desktop, strongSwan is configured via swanctl.conf, which is its own rabbit hole. For servers we recommend the simpler OpenVPN CLI route, or open a ticket and we’ll help with a swanctl config.