All Products
Search
Document Center

VPN Gateway:Configure strongSwan

Last Updated:Feb 19, 2024

When you use IPsec-VPN to establish a site-to-site connection, you must add VPN configurations to the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. This way, an IPsec-VPN connection between the data center and Alibaba Cloud is established. This topic describes how to add VPN configurations to the gateway device in the data center. In this example, strongSwan is used.

Scenario

strongSwan配置示例The preceding scenario is used in this example. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 172.16.2.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.

The following table describes the network configurations.

Item

Example

VPC

Private CIDR block of the VPC to be connected to the data center

192.168.10.0/24

VPN gateway

Public IP address of the VPN gateway

119.XX.XX.125

Data center

Private CIDR block of the data center to be connected to the VPC

172.16.2.0/24

Public IP address of the gateway device in the data center

59.XX.XX.70

Note

If strongSwan is configured for a gateway device in the data center, you can use the private IP address of the gateway device to establish IPsec-VPN connections.

If the gateway devices in your data center use the same egress to access the Internet, the gateway devices are not assigned public IP addresses and you can use the private IP addresses of the gateway devices to establish IPsec-VPN connections.

Prerequisites

  • A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a VPC to a data center in single-tunnel mode.

    Note

    If you use the private IP address of a gateway device to establish an IPsec-VPN connection, you must specify the private IP address of the gateway device when you create a customer gateway.

  • The configuration file of the IPsec-VPN connection is downloaded. For more information, see Download the configuration file of an IPsec-VPN connection.

    The following table describes the configurations of the IPsec-VPN connection.

    Item

    Example

    Pre-shared key

    ff123TT****

    Internet Key Exchange (IKE) configurations

    IKE version

    ikev1

    Negotiation mode

    main

    Encryption algorithm

    aes

    Authentication algorithm

    sha1

    Diffie-Hellman (DH) group

    group2

    Security association (SA) lifecycle (seconds)

    86400

    IPsec configurations

    Encryption algorithm

    aes

    Authentication algorithm

    sha1

    DH group

    group2

    SA lifecycle (seconds)

    86400

Step 1: Install strongSwan

Note

The commands in this step and Step 2 are for reference only. For more information about the actual commands, see the manual of your gateway device.

  1. Open the CLI of your gateway device.

  2. Run the following command to install strongSwan:

    yum install strongswan
  3. Optional. Run the following command to view the version of strongSwan that is automatically installed by the system:

    strongswan version

Step 2: Configure strongSwan

  1. Run the following command to open the ipsec.conf file:

    vi /etc/strongswan/ipsec.conf
  2. Modify the ipsec.conf file based on the following information:

    # ipsec.conf - strongSwan IPsec configuration file
    # basic configuration
     config setup
         uniqueids=never
     conn %default
         authby=psk                  # Enables authentication based on pre-shared keys.
         type=tunnel
     conn tomyidc
         keyexchange=ikev1           # The version of the IKE protocol that is used by the IPsec-VPN connection.
         left=59.XX.XX.70            # The public IP address of the gateway device. If you use the private IP address of a gateway device to establish an IPsec-VPN connection, set this parameter to the private IP address of the gateway device. 
         leftsubnet=172.16.2.0/24    # The private CIDR block of the data center to be connected to the VPC.
         leftid=59.XX.XX.70          # The identifier of the gateway device. If you use the private IP address of a gateway device to establish an IPsec-VPN connection, we recommend that you use the private IP address of the gateway device as the identifier. 
         right=119.XX.XX.125         # The public IP address of the VPN gateway.
         rightsubnet=192.168.10.0/24 # The private CIDR block of the VPC to be connected to the data center.
         rightid=119.XX.XX.125       # The identifier of the VPN gateway.
         auto=route
         ike=aes-sha1-modp1024       # The encryption algorithm, authentication algorithm, and DH group of the IKE protocol.
         ikelifetime=86400s          # The SA lifecycle of the IKE protocol.
         esp=aes-sha1-modp1024       # The encryption algorithm, authentication algorithm, and DH group of the IPsec protocol.
         lifetime=86400s             # The SA lifecycle of the IPsec protocol.
         type=tunnel
  3. Configure the ipsec.secrets file.

    1. Run the following command to open the ipsec.secrets file:

      vi /etc/strongswan/ipsec.secrets
    2. Add the following configuration to the file.

      Note

      You can use one of the following configuration methods.

      • Method 1:

        59.XX.XX.70 119.XX.XX.125 : PSK ff123TT****   # ff123TT**** is the pre-shared key of the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.

      • Method 2:

        119.XX.XX.125 : PSK ff123TT****   # ff123TT**** is the pre-shared key of the IPsec-VPN connection. The data center and the VPN gateway must use the same pre-shared key.

  4. Run the following command to enable system forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    For more information, see strongSwan documentation.

  5. Run the following command to start strongSwan:

    systemctl enable strongswan
    systemctl start strongswan
  6. Configure a route to transmit data from clients in the data center to strongSwan. Configure another route to transmit data from strongSwan to clients in the data center.

  7. If you establish more than three IPsec-VPN connections by using strongSwan, you must modify the configurations in the /etc/strongswan/strongswan.d/charon.conf file.

    Delete the comment delimiter before the max_ikev1_exchanges = 3 command to make this command take effect, and then set the max_ikev1_exchanges parameter in the command to a value greater than the number of IPsec-VPN connections that you establish.

    For example, if you establish four IPsec-VPN connections by using strongSwan, you can modify the command to max_ikev1_exchanges = 5.