edit-icon download-icon

Configure strongSwan

Last Updated: Mar 12, 2018

When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec connection configured for the Alibaba Cloud VPN gateway.

Alibaba Cloud IPsec connections support IKEv1 and IKEv2 protocols. Any device that supports these two protocols can connect to Alibaba Cloud VPN Gateway. This includes devices from Huawei, H3C, Cisco, ASN, Juniper, SonicWall, Nokia, IBM, and Ixia.

The H3C firewall is used as an example to show how to configure the VPN settings. The configurations used in this tutorial are as follows:

  • The IP address range of the Alibaba Cloud VPC is 192.168.10.0/24.

  • The IP address range of the local data center is 172.16.2.0/24.

  • The public IP address of the strongSwan is 59.110.165.70.

    overview

Prerequisites

  • Make sure you have configured IPsec connections. For more information, seeConfigure a site-to-site connection.

  • Download the configurations of the created IPsec connection.

    In this tutorial, the configurations of the IPsec connection are as shown in the following figure:

    ipsec

Install strongSwan

The following steps use Centos 7.3 for the tutorial:

  1. Check the system version.

    #cat /proc/version

    Linux version 3.10.0-514.26.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)) #1 SMP Tue Jul 4 15:04:05 UTC 2017

    #cat /etc/centos-release

    CentOS Linux release 7.3.1611 (Core)

  2. Install strongSwan.

    #yum install strongswan

  3. Check the software version.

    #strongswan version

    Linux strongSwan U5.5.3/K3.10.0-514.26.2.el7.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'strongswan --copyright' for copyright information.

    For more information on how to install strongSwan on other systems or compile it on your own, see strongSwan Installation Documentation.

Configure strongSwan

  1. Configure ipsec.conf.

    #vi /etc/strongswan/ipsec.conf

    1. # ipsec.conf - strongSwan IPsec configuration file
    2. # basic configuration
    3. config setup
    4. uniqueids=never
    5. conn %default
    6. authby=psk
    7. type=tunnel
    8. conn tomyidc
    9. keyexchange=ikev1
    10. left=59.110.165.70
    11. leftsubnet=172.16.2.0/24
    12. leftid=59.110.165.70
    13. right=119.23.227.125
    14. rightsubnet=192.168.10.0/24
    15. rightid=119.23.227.125
    16. auto=route
    17. ike=aes-sha1-modp1024
    18. ikelifetime=86400s
    19. esp=aes-sha1-modp1024
    20. lifetime=86400s
    21. type=tunnel
  2. Configure ipsec.secrets.

    #vi /etc/strongswan/ipsec.secrets

    1. 59.110.165.70 119.23.227.125 : PSK yourpassword
  3. Enable system forwarding.

    #echo 1 > /proc/sys/net/ipv4/ip_forward

    For more configuration examples for different scenarios, see Configuration Examples for Different Scenarios.

  4. Start the strongSwan service by running the following commands:

    #systemctl enable strongswan

    #systemctl start strongswan

  5. Configure two routings in strongSwan.

    One is used to route the requests destined for the IDC client to strongSwan. The other one is used to route the requests destined for strongSwan to your IDC client.

Thank you! We've received your feedback.