All Products
Search

This Product

    VPN Gateway:Configure a strongSwan device

    Document Center

    VPN Gateway:Configure a strongSwan device

    Last Updated:Aug 23, 2024

    When you establish an IPsec-VPN connection between a data center and a virtual private cloud (VPC) in Alibaba Cloud, you must add VPN configurations to the gateway device in the data center after you configure the VPN gateway on Alibaba Cloud. This topic describes how to add VPN configurations to the gateway device in the data center by using strongSwan.

    Sample scenario

    image

    In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.

    Important

    In this sample scenario, the local gateway device on which strongSwan is to be deployed is referred to as the strongSwan device. The data center uses a public IP address of the strongSwan device to establish an IPsec-VPN connection with Alibaba Cloud in dual-tunnel mode. If you want to establish an IPsec-VPN connection in single-tunnel mode, see the Configure a strongSwan device to use a single tunnel section in this topic.

    CIDR block plan and sample VPN configurations

    CIDR block plan

    Resource

    CIDR block

    IP address

    Data center

    CIDR block that needs to communicate with the VPC: 192.168.0.0/16

    Server IP address: 192.168.10.198

    strongSwan device

    N/A

    • Physical interface that connects to the Internet on the strongSwan device: eth0, which is configured with the public IP address 8.XX.XX.99

    • strongSwan version: 5.9.10

    VPC

    Primary CIDR block: 10.0.0.0/16

    vSwitch 1: 10.0.10.0/24

    vSwitch 2: 10.0.20.0/24

    ECS IP address: 10.0.10.250

    Public VPN gateway

    N/A

    • IPsec address 1: 8.XX.XX.149

    • IPsec address 2: 8.XX.XX.137

    Note

    After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway.

    Sample VPN configurations

    • In this example, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. The two tunnels use the same sample values.

    • The VPN configurations on Alibaba Cloud and the strongSwan device must be the same for each tunnel.

    Configuration item

    Sample value on Alibaba Cloud

    Sample value on the strongSwan device

    Pre-shared key (PSK)

    123456****

    123456****

    Internet Key Exchange (IKE) configurations

    IKE version

    ikev2

    ikev2

    Negotiation mode

    main

    main

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    Diffie-Hellman (DH) group

    group2

    group2

    Security association (SA) lifecycle (seconds)

    86400

    86400

    IPsec configurations

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifecycle (seconds)

    86400

    86400

    Prerequisites

    This topic describes only how to add VPN configurations to a strongSwan device. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the strongSwan device, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway. For more information, see Connect a VPC to a data center in dual-tunnel mode.

    Note

    In this scenario, the strongSwan device in the data center establishes an IPsec-VPN connection in dual-tunnel mode to Alibaba Cloud by using a public IP address. Therefore, you need to create only one customer gateway. When you create an IPsec-VPN connection, you can associate the two tunnels with the same customer gateway.

    Procedure

    Note

    In the following example, Alibaba Cloud Linux 3.2104 LTS 64-bit is used to describe how to configure a strongSwan device. For information about the procedure that applies if you use another operating system, see strongSwan Installation Documentation.

    1. Go to the CLI of the strongSwan device.

    2. Run the following command to install strongSwan: 

      sudo yum install -y strongswan-5.9.10

    3. Enable traffic forwarding for the strongSwan device. 

      echo 1 > /proc/sys/net/ipv4/ip_forward
      Important

      The preceding command requires root permissions and is a temporary command. After you restart the strongSwan device, you must run the command again. If you want to enable traffic forwarding for the strongSwan device permanently, perform the following steps.

      Click here to expand the procedure

      1. Run the following command to open the /etc/sysctl.conf file: 

        sudo vi /etc/sysctl.conf

      2. Press the I key to enter the edit mode.

      3. Add the following configuration to the file: 

        net.ipv4.ip_forward = 1

      4. Press the Esc key, enter :wq, and then press the Enter key to save the change.

      5. Run the following command to apply the change: 

        sudo sysctl -p

    4. Create two virtual network interfaces for establishing IPsec-VPN tunnels. 

      sudo ip link add ipsec0 type xfrm dev eth0 if_id 42 # Create an XFRM virtual network interface for Tunnel 1 with the interface ID 42 and the public interface eth0 as the underlying interface. 
sudo ip link add ipsec1 type xfrm dev eth0 if_id 43 # Create an XFRM virtual network interface for Tunnel 2 with the interface ID 43 and the public interface eth0 as the underlying interface. 
sudo ip link set ipsec0 up # Start the XFRM virtual network interface for Tunnel 1. 
sudo ip link set ipsec1 up # Start the XFRM virtual network interface for Tunnel 2.

      Important

      The preceding configuration for creating virtual network interfaces is a temporary configuration. After you restart the strongSwan device, you must add the configuration again and run the sudo systemctl restart strongswan;swanctl --load-all command. The command requires root permissions. If you want to configure a script that runs on system startup to automatically create virtual network interfaces after the strongSwan device is restarted, perform the following steps.

      Click here to expand the procedure

      1. Run the following command to create a script: 

        vi xfrm.sh

      2. Press the I key to enter the edit mode.

      3. Add the following configuration to the script: 

        sudo ip link add ipsec0 type xfrm dev eth0 if_id 42 # Create an XFRM virtual network interface for Tunnel 1 with the interface ID 42 and the public interface eth0 as the underlying interface. 
sudo ip link add ipsec1 type xfrm dev eth0 if_id 43 # Create an XFRM virtual network interface for Tunnel 2 with the interface ID 43 and the public interface eth0 as the underlying interface. 
sudo ip link set ipsec0 up # Start the XFRM virtual network interface for Tunnel 1. 
sudo ip link set ipsec1 up # Start the XFRM virtual network interface for Tunnel 2.

      4. Press the Esc key, enter :wq, and then press the Enter key to save the change.

      5. Run the following command to view the absolute path of the script: 

        sudo find / -name xfrm.sh

      6. Add the absolute path to the /etc/rc.d/rc.local file. 

        sudo vi /etc/rc.d/rc.local # Open the /etc/rc.d/rc.local file. 
Press the I key to enter the edit mode.
/root/xfrm.sh  # Add the absolute path to the /etc/rc.d/rc.local file. 
Press the Esc key, enter :wq, and then press the Enter key to save the change.

      7. Run the following commands to make the rc.local and xfrm.sh files executable: 

        sudo chmod +x /etc/rc.d/rc.local
sudo chmod +x /root/xfrm.sh

    5. Modify the strongSwan configuration file.

      1. Run the following command to open the strongSwan configuration file: 

        sudo vi /etc/strongswan/swanctl/swanctl.conf

      2. Press the I key to enter the edit mode.

      3. Delete all the original configurations in the file and refer to the following sample code to add VPN configurations to the file.

        Important

        Replace the IP addresses in the sample code with the IP addresses that you actually use, and make sure that the VPN configurations on Alibaba Cloud and those on the strongSwan device are the same. 

        connections {
   vco1 {                            # The VPN configurations of IPsec-VPN Tunnel 1.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 8.XX.XX.99      # The public IP address for which you want to create an IPsec-VPN connection. 
      remote_addrs = 8.XX.XX.149     # Set the remote address of Tunnel 1 to the VPN gateway address of Tunnel 1 on Alibaba Cloud, which is IPsec address 1. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifecycle of Tunnel 1, which must be the same as that specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. 
      over_time = 1800               
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 8.XX.XX.99             # The ID of the data center, which must be the same as the RemoteId value of Tunnel 1 on Alibaba Cloud. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 8.XX.XX.149            # The ID of the VPC, which must be the same as the LocalId value of Tunnel 1 on Alibaba Cloud. 
      }
      children {
         vco_child1 {
            local_ts  = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            remote_ts = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            mode = tunnel
            rekey_time = 85500
            life_time = 86400        # The SA lifecycle of Tunnel 1, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024   # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 

            if_id_out = 42           # Specify that the XFRM virtual network interface of Tunnel 1 is used as the egress port and ingress port of Tunnel 1. 
            if_id_in = 42
            updown = /root/connect_1.sh         # Execute the /root/connect_1.sh script to configure routing based on the UP/DOWN status of Tunnel 1. 
         }
      }
   }
  vco2 {                             # The VPN configurations of IPsec-VPN Tunnel 2.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 8.XX.XX.99      # The public IP address for which you want to create an IPsec-VPN connection. 
      remote_addrs = 8.XX.XX.137     # Set the remote address of Tunnel 2 to the VPN gateway address of Tunnel 2 on Alibaba Cloud, which is IPsec address 2. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifecycle of Tunnel 2, which must be the same as that specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. 
      over_time = 1800               # 
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 8.XX.XX.99             # The ID of the data center, which must be the same as the RemoteId value of Tunnel 2 on Alibaba Cloud. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 8.XX.XX.137            # The ID of the VPC, which must be the same as the LocalId value of Tunnel 2 on Alibaba Cloud. 
      }
      children {
         vco_child2 {
            local_ts  = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0.
            remote_ts = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0.
            mode = tunnel 
            rekey_time = 85500
            life_time = 86400        # The SA lifecycle of Tunnel 2, which must be the same as that specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024     # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
            if_id_out = 43           # Specify that the XFRM virtual network interface of Tunnel 2 is used as the egress port and ingress port of Tunnel 2. 
            if_id_in = 43
            updown = /root/connect_2.sh           # Execute the /root/connect_2.sh script to configure routing based on the UP/DOWN status of Tunnel 2. 
         }
      }
   }
}

secrets {
   ike-vco1 {
      secret = 123456****            # The PSK of Tunnel 1, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. 
   }
   ike-vco2 {
      secret = 123456****            # The PSK of Tunnel 2, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. 
   }
}

      4. Press the Esc key, enter :wq, and then press the Enter key to save the change.

    6. Refer to the following steps to create a script that configures routing to control the traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16.

      1. Run the following command to open the /root/connect_1.sh file: 

        sudo vi /root/connect_1.sh

      2. Press the I key to enter the edit mode.

      3. Add the following configurations to the script.

        If the status of Tunnel 1 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16 through the XFRM virtual network interface of Tunnel 1. In addition, set the metric value of this route to 100 to make this route have a higher priority than the route that points to the XFRM virtual network interface of Tunnel 2. If the status of Tunnel 1 is DOWM, withdraw the route. 

        #!/usr/bin/env bash
if [ x"$PLUTO_VERB" == "xup-client" ]; then
	echo "ip route add 10.0.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route add 10.0.0.0/16 dev ipsec0 metric 100
elif [ x"$PLUTO_VERB" == "xdown-client" ]; then
	echo "ip route del 10.0.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route del 10.0.0.0/16 dev ipsec0 metric 100
fi

      4. Press the Esc key, enter :wq, and then press the Enter key to save the change.

      5. Repeat the preceding steps to modify the /root/connect_2.sh file.

        If the status of Tunnel 2 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 10.0.0.0/16 through the XFRM virtual network interface of Tunnel 2. In addition, set the metric value of this route to 101 to make this route have a lower priority than the route that points to the XFRM virtual network interface of Tunnel 1. If the status of Tunnel 2 is DOWM, withdraw the route. 

        #!/usr/bin/env bash
if [ x"$PLUTO_VERB" == "xup-client" ]; then
	echo "ip route add 10.0.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route add 10.0.0.0/16 dev ipsec1 metric 101
elif [ x"$PLUTO_VERB" == "xdown-client" ]; then
	echo "ip route del 10.0.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route del 10.0.0.0/16 dev ipsec1 metric 101
fi

      6. Run the following commands to make the /root/connect_1.sh and /root/connect_2.sh files executable: 

        sudo chmod +x /root/connect_1.sh
sudo chmod +x /root/connect_2.sh

      7. Restart the strongSwan process. 

        sudo systemctl restart strongswan

    7. View the tunnel status and routes.

      In normal cases, after you perform the preceding steps, an IPsec-VPN connection is established between the strongSwan device and the VPN gateway. You can run the following commands to view the tunnel status and routes of the IPsec-VPN connection: 

      sudo swanctl --list-sas  # View the tunnel status.
route -n            # View the routing configurations.

      IPsec路由

    8. On the data center side, configure routes from the data center to the strongSwan device and from the strongSwan device to the data center.

      Then, you can test the network connectivity between the data center and Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in dual-tunnel mode topic.

    Configure a strongSwan device to use a single tunnel

    Click here to expand the sample configurations

    Sample scenario

    image

    In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on an ECS instance in the VPC. The company also has a data center that needs to use the CIDR block 172.16.2.0/24 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.

    CIDR block plan and sample VPN configurations

    CIDR block plan

    Resource

    Example

    VPC

    Private CIDR block that needs to communicate with the data center

    192.168.10.0/24

    Public VPN gateway

    Public IP address of the VPN gateway

    119.XX.XX.125

    Data center

    Private CIDR block that needs to communicate with the VPC

    172.16.2.0/24

    Public IP address of the strongSwan device

    59.XX.XX.70

    strongSwan version

    5.7.2

    Sample VPN configurations

    Configuration item

    Sample value on Alibaba Cloud

    Sample value on the strongSwan device

    PSK

    ff123TT****

    ff123TT****

    IKE configurations

    IKE version

    ikev1

    ikev1

    Negotiation mode

    main

    main

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifecycle (seconds)

    86400

    86400

    IPsec configurations

    Encryption algorithm

    aes

    aes

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifecycle (seconds)

    86400

    86400

    Prerequisites

    This topic describes only how to add VPN configurations to a strongSwan device. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the strongSwan device, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, and create an IPsec-VPN connection. For more information, see Connect a VPC to a data center in single-tunnel mode.

    • When you create an IPsec-VPN connection, select Protected Data Flows as the routing mode, set the local CIDR block to 192.168.10.0/24, and set the remote CIDR block to 172.16.2.0/24.

    • After you create an IPsec-VPN connection, you must advertise the policy-based route. For more information, see the Advertise a policy-based route section of the "Configure policy-based routes" topic.

    Note

    If the strongSwan device in your data center accesses the Internet through a unified Internet egress, the strongSwan device does not have a public IP address. In this case, you can use the private IP address of the strongSwan device to establish an IPsec-VPN connection.

    Step 1: Install strongSwan

    Note

    In the following example, Alibaba Cloud Linux 2.1903 LTS 64-bit is used to describe how to configure a strongSwan device. For information about the procedure that applies if you use another operating system, see strongSwan Installation Documentation.

    1. Go to the CLI of the strongSwan device.

    2. Run the following command to install strongSwan: 

      sudo yum install strongswan

    3. (Optional) Run the following command to query the version of strongSwan that is automatically installed by the system: 

      strongswan version

      2024-07-11_10-19-48

    Step 2: Configure strongSwan

    1. Run the following command to open the ipsec.conf file: 

      sudo vi /etc/strongswan/ipsec.conf

    2. Modify the ipsec.conf file based on the following information: 

      # ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
       uniqueids=never
conn %default
     authby=psk                  # Set the authentication algorithm to PSK.
     type=tunnel
conn tomyidc
     keyexchange=ikev1           # The version of the IKE protocol that is used by the IPsec-VPN connection.
     left=59.XX.XX.70            # The public IP address of the strongSwan device. If you want to use the private IP address of the strongSwan device to establish an IPsec-VPN connection, specify the private IP address. 
     leftsubnet=172.16.2.0/24    # The private CIDR block of the data center to be connected to the VPC.
     leftid=59.XX.XX.70          # The ID of the strongSwan device, which must be the same as the RemoteId value on Alibaba Cloud. The default value is the public IP address used by the strongSwan device. 
     right=119.XX.XX.125         # The public IP address of the VPN gateway. 
     rightsubnet=192.168.10.0/24 # The private CIDR block of the VPC to be connected to the data center.
     leftid=119.XX.XX.125          # The ID of the VPN gateway, which must be the same as the LocalId value on Alibaba Cloud. The default value is the public IP address used by the VPN gateway. 
     auto=route                  # Specify that an IPsec-VPN connection is created only if a host on a subnet of one end sends an access request to the other end. For more information, see the description of the auto parameter. 
          
     ike=aes-sha1-modp1024       # The encryption algorithm, authentication algorithm, and DH group of the IKE protocol.
     ikelifetime=86400s          # The SA lifecycle of the IKE protocol.
     esp=aes-sha1-modp1024       # The encryption algorithm, authentication algorithm, and DH group of the IPsec protocol.
     lifetime=86400s             # The SA lifecycle of the IPsec protocol.
     type=tunnel
     #aggressive = yes           # Specify whether to enable the aggressive mode. By default, the system uses the main mode, and the aggressive mode is disabled.

      Click here to expand the description of the auto parameter

      Setting of the auto parameter

      Description

      auto=add

      When the strongSwan process starts, the process only reads the connection configurations and does not establish a connection. This setting is applicable when the server is waiting for the client to initiate a connection request.

      auto=route

      An IPsec-VPN connection is created only if a host on a subnet of one end sends an access request to the other end.

      auto=start

      The strongSwan process reads the connection configurations and immediately establishes an IPsec-VPN connection.

      auto=ignore

      The auto parameter is ignored.

    3. Configure the ipsec.secrets file.

      1. Run the following command to open the ipsec.secrets file: 

        sudo vi /etc/strongswan/ipsec.secrets

      2. Add the following configurations to the file.

        Note

        You can select one of the following configuration methods.

        • Method 1

          59.XX.XX.70 119.XX.XX.125 : PSK ff123TT****   # ff123TT**** is the PSK of the IPsec-VPN connection. The data center and the VPN gateway must use the same PSK.

        • Method 2

          119.XX.XX.125 : PSK ff123TT****   # ff123TT**** is the PSK of the IPsec-VPN connection. The data center and the VPN gateway must use the same PSK.

    4. Run the following command to start the strongSwan service: 

      sudo systemctl enable strongswan
sudo systemctl start strongswan
# You can run the following command to check whether the strongSwan service is properly started:
sudo systemctl status strongswan

    5. Enable system forwarding. 

      echo 1 > /proc/sys/net/ipv4/ip_forward
      Important

      The preceding command requires root permissions and is a temporary command. After you restart the strongSwan device, you must run the command again. If you want to enable traffic forwarding for the strongSwan device permanently, perform the following steps.

      Click here to expand the procedure

      1. Run the following command to open the /etc/sysctl.conf file: 

        sudo vi /etc/sysctl.conf

      2. Press the I key to enter the edit mode.

      3. Add the following configuration to the file: 

        net.ipv4.ip_forward = 1

      4. Press the Esc key, enter :wq, and then press the Enter key to save the change.

      5. Run the following command to apply the change: 

        sudo sysctl -p

    6. On the data center side, configure routes from the data center to the strongSwan device and from the strongSwan device to the data center.

      Then, you can test the network connectivity between the data center and Alibaba Cloud VPC. For more information, see the "Step 6: Test the network connectivity" section of the Connect a VPC to a data center in single-tunnel mode topic.

    7. If you use strongSwan to establish more than three IPsec-VPN connections, you must modify the /etc/strongswan/strongswan.d/charon.conf configuration file as follows.

      Delete the comment delimiter before the max_ikev1_exchanges = 3 command to make this command take effect, and then set the max_ikev1_exchanges parameter in the command to a value greater than the number of IPsec-VPN connections that you establish.

      For example, if you establish four IPsec-VPN connections by using strongSwan, you can modify the command to max_ikev1_exchanges = 5.