Configure strongSwan

Edit in Github

Last Updated: Nov 29, 2018 Edit in Github

When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec connection configured for the Alibaba Cloud VPN gateway. This article takes strongswan as an example to show you how to load a VPN configuration in a local site.

This document takes strongSwan as an example to show how to configure the VPN settings. The configurations used in this tutorial are as follows:

The IP address range of the Alibaba Cloud VPC is 192.168.10.0/24.
The IP address range of the local data center is 172.16.2.0/24.
The public IP of strongSwan is 59.110.165.70.

Prerequisites

Make sure you have configured IPsec connections. For more information, see Configure a site-to-site connection.
After you create an IPsec connection, download the configurations of the created IPsec connection. For more information, see Manage an IPsec connection.

Install strongSwan

Run the following command to install strongSwan.
```
# yum install strongSwan
```
Run the following to view the installed software version.
```
# strongswan version
```

Run the following command to open the ipsec.conf file.
```
# vi /etc/strongswan/ipsec.conf
```

Refer to the following configurations to update the ipsec.conf file.

# ipsec.conf - strongSwan IPsec configuration file
 # basic configuration
 config setup
     uniqueids=never
 conn %default
     authby=psk
     type=tunnel
 conn tomyidc
     keyexchange=ikev1
     left=59.110.165.70
     leftsubnet=172.16.2.0/24
     leftid=59.110.165.70 (Public IP of the loca gateway)
     right=119.23.227.125
     rightsubnet=192.168.10.0/24
     rightid=119.23.227.125 (Public IP of the VPN Gateway)
     auto=route
     ike=aes-sha1-modp1024
     ikelifetime=86400s
     esp=aes-sha1-modp1024
     lifetime=86400s
     type=tunnel

Configure the ipsec.secrets file.
1. Run the following command to open the configuration file.
```
# vi /etc/strongswan/ipsec.secrets
```
2. Add the following configuration.
```
59.110.165.70 119.23.227.125 : PSK yourpassword
```
Enable system forwarding.
```
# echo 1 > /proc/sys/net/ipv4/ip_forward
```
For more configuration examples for different scenarios, see Configuration examples for different scenarios.

Run the following command to start the strongSwan service.

# systemctl enable strongswan
# systemctl start strongswan

Configure two routings in strongSwan. One is used to route the requests destined for the IDC client to strongSwan. The other one is used to route the requests destined for strongSwan to your IDC client.