All Products
Search

This Product

    VPN Gateway:Configure a strongSwan device

    Document Center

    VPN Gateway:Configure a strongSwan device

    Last Updated:Dec 11, 2024

    This topic describes how to connect a strongSwan device to an Elastic Compute Service (ECS) instance on Alibaba Cloud.

    strongSwan is an open-source and IPsec-based VPN solution that is easy to configure and can be deployed in mainstream Linux distributions. You can use strongSwan to establish IPsec-VPN connections with Alibaba Cloud.

    Note

    In this example, a VPN gateway in dual-tunnel mode is used to establish IPsec-VPN connections. If your VPN gateway supports only the single-tunnel mode, see the Configure a strongSwan device to use a single tunnel section of this topic.

    Scenario

    The following scenario is an example. You can configure strongSwan on an on-premises gateway to establish dual-tunnel IPsec-VPN connections to Alibaba Cloud.

    image

    Subnetting

    Data center

    • Private CIDR block: 10.0.0.0/16

    • strongSwan Device

      • Network interface controller (NIC) eth0: 10.0.0.1 and NAT-mapped Internet egress 1: 1.1.XX.XX

      • Optional. NIC eth1: 10.0.0.2 and NAT-mapped Internet egress 2: 2.2.XX.XX

        Note

        For more information about non-NAT scenarios, see How do I configure a strongSwan device whose NIC is assigned a public IP address?

        This topic provides configuration examples for a single-egress strongSwan device and a dual-egress strongSwan device. You can use either device to establish IPsec-VPN connections to Alibaba Cloud.

    Alibaba Cloud

    • VPC CIDR block: 172.16.0.0/16

      • vSwitch1 CIDR block: 172.16.1.0/24

      • vSwitch2 CIDR block: 172.16.2.0/24

    • VPN gateway

      • IPsec Address 1: 3.3.XX.XX

      • IPsec Address 2: 4.4.XX.XX

        Note

        After you create a VPN gateway, the system automatically assigns two IPsec addresses to the VPN gateway.

    VPN configurations

    The two tunnels use the same configurations. The VPN configurations on Alibaba Cloud and the strongSwan device must be the same for each tunnel.

    • Pre-shared key: ChangeMe***

    • IKE configurations

      • IKE version: ikev2

      • Negotiation mode: main

      • Encryption algorithm: aes

      • Authentication algorithm: sha1

      • DH group: group2

      • SA lifetime (seconds): 86400

    • IPsec configurations:

      • Encryption algorithm: aes

      • Authentication algorithm: sha1

      • DH group: group2

      • SA lifetime (seconds): 86400

    Preparations on Alibaba Cloud

    Before you configure the strongSwan device, perform the following steps on the Alibaba Cloud side: Create a VPN gateway, Create a customer gateway, Create an IPsec-VPN connection, and Configure VPN gateway routes. For more information, see Connect a VPC to a data center in dual-tunnel mode.

    The configurations on the Alibaba Cloud side vary with the number of Internet egresses on the strongSwan device.

    Single-egress

    1. Create one customer gateway because only one Internet egress exists.

    2. IPsec-VPN connection:

      1. Select Protected Data Flow for the routing mode of each tunnel.

        1. For the local CIDR block, enter the CIDR block of the VPC, which is 172.16.0.0/16.

        2. For the peer CIDR block, enter the CIDR block of the data center, which is 10.0.0.0/16.

      2. Select the same customer gateway.

    Dual-egress

    1. Create two customer gateways because two Internet egresses exist.

    2. IPsec-VPN connection:

      1. Select Destination Routing Mode for both tunnels.

      2. Select Tunnel 1 for Egress 1 and Tunnel 2 for Egress 2.

    Configure the strongSwan device

    Note

    In the following example, a strongSwan device that runs CentOS Stream 9 64-bit is used. For more information about other operating systems, see strongSwan documentation.

    1. Configure an Allow firewall policy

    Configure an Allow policy for ESP (IP protocol 50) on UDP port 500 and UDP port 4500. 

    iptables -I INPUT -p 50 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT 
iptables -I INPUT -p udp --dport 4500 -j ACCEPT

    2. Enable traffic forwarding

    echo 1 > /proc/sys/net/ipv4/ip_forward
    Important

    The preceding command is a temporary command. After you restart the strongSwan device, you must run the command again. If you want to enable traffic forwarding for the strongSwan device permanently, perform the following steps.

    Click here to expand the procedure

    1. Open the /etc/sysctl.conf file. 

      vi /etc/sysctl.conf

    2. Add the following configuration to the file: 

      net.ipv4.ip_forward = 1

    3. Run the following command to apply the change: 

      sudo sysctl -p

    3. Install strongSwan

    dnf install epel-release -y
dnf install strongswan-5.9.10 -y

    4. Configure the tunnels

    Single-egress

    Configure single-tunnel based on strongSwan protected data flows to switch between the active tunnel and the standby tunnel.

    1. Back up the original strongSwan configuration file.

      mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak

    2. Create a strongSwan configuration file.

      vi /etc/strongswan/swanctl/swanctl.conf

    3. Add and save the following configurations based on the Examples section.

      connections {
   vco1 {                            # The VPN configurations of IPsec-VPN Tunnel 1.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs=10.0.0.1       # The IP address of the local NIC.
      remote_addrs = 3.3.XX.XX     # Set the remote address of Tunnel 1 to the VPN gateway address of Tunnel 1 on Alibaba Cloud, which is IPsec Address 1. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifetime of Tunnel 1, which must be the same as that specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. 
      over_time = 1800               
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 1.1.XX.XX                # The IP address of the local Internet egress. This value must be the same as RemoteId of Tunnel 1. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 3.3.XX.XX                # IPsec Address 1 on the Alibaba Cloud side. This value must be the same as LocalId of Tunnel 1. 
      }
      children {
         vco_child1 {
            local_ts  = 10.0.0.0/16    # The local protected data flows. Enter the private CIDR block of the data center, which is 10.0.0.0/16. 
            remote_ts = 172.16.0.0/16  # The protected data flows on the Alibaba Cloud side. Enter the VPC CIDR block, which is 172.16.0.0/16. 
            mode = tunnel
            rekey_time = 85500
            life_time = 86400        # The SA lifetime of Tunnel 1, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024   # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
         }
      }
   }
  vco2 {                             # The VPN configurations of IPsec-VPN Tunnel 2.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 10.0.0.1        # The IP address of the local NIC.
      remote_addrs = 4.4.XX.XX       # The tunnel address, which is IPsec Address 2. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifetime of Tunnel 2, which must be the same as that specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. 
      over_time = 1800               
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 1.1.XX.XX              # The public IP address of the local Internet egress. This value must be the same as RemoteId of Tunnel 2. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 4.4.XX.XX              # IPsec Address 2 on the Alibaba Cloud side. This value must be the same as LocalId of Tunnel 2. 
      }
      children {
         vco_child2 {
            local_ts  = 10.0.0.0/16      # The local protected data flows. Set this value to the CIDR block of the data center, which is 10.0.0.0/16. 
            remote_ts = 172.16.0.0/16    # The protected data flows on the Alibaba Cloud side. Enter the VPC CIDR block, which is 172.16.0.0/16. 
            mode = tunnel 
            rekey_time = 85500
            life_time = 86400        # The SA lifetime of Tunnel 2, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024     # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
         }
      }
   }
}

secrets {
   ike-vco1 {
      secret = ChangeMe***            # The PSK of Tunnel 1, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. 
   }
   ike-vco2 {
      secret = ChangeMe***            # The PSK of Tunnel 2, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. 
   }
}

    4. Restart the strongSwan process.

      systemctl restart strongswan

    5. Check the tunnel status. 

      watch swanctl --list-sas

      image

      As shown in the figure, an IPsec-VPN connection is established between the strongSwan device and the VPN gateway.

    Dual-egress

    Important

    Dual-egress is based on XFRM interfaces. To use XFRM interfaces, the strongSwan version must be 5.8.0 or later, the Linux kernel version must be 4.19 or later, the iproute2 version must be 5.1.0 or later, and the kernel must support the XFRM module. If lsmod | grep xfrm is not displayed, XFRM interfaces are not supported. For more information, see XFRM Interfaces on Linux.

    1. Configure routes so that access from IPsec Address 1 goes through eth0 and access from IPsec Address 2 goes through eth1.

      ip route add 3.3.XX.XX via 10.0.0.253 dev eth0  #10.0.0.253 is the IP address of the private gateway.
ip route add 4.4.XX.XX via 10.0.0.253 dev eth1

      Make sure the following two IPsec addresses can be pinged.

      ping 3.3.XX.XX 
ping 4.4.XX.XX

    2. Create two virtual network interfaces for establishing IPsec-VPN tunnels.

      ip link add ipsec0 type xfrm dev eth0 if_id 42 # Create an XFRM virtual network interface for Tunnel 1, with the interface ID 42 and the public interface eth0 as the underlying interface. 
ip link add ipsec1 type xfrm dev eth1 if_id 43 # Create an XFRM virtual network interface for Tunnel 2, with the interface ID 43 and the public interface eth1 as the underlying interface. 
ip link set ipsec0 up # Start the XFRM virtual network interface for Tunnel 1. 
ip link set ipsec1 up # Start the XFRM virtual network interface for Tunnel 2.

      Important

      • The preceding configuration for creating virtual network interfaces is a temporary configuration. After you restart the strongSwan device, you must add the configuration again and run the sudo systemctl restart strongswan;swanctl --load-all command. The command requires root permissions. If you want to configure a script that runs on system startup to automatically create virtual network interfaces after the strongSwan device is restarted, perform the following steps.

      Click here to expand the procedure.

      1. Run the following command to create a script: 

        vi xfrm.sh

      2. Add and save the following configurations. 

        sudo ip link add ipsec0 type xfrm dev eth0 if_id 42 # Create an XFRM virtual network interface for Tunnel 1, with the interface ID 42 and the public interface eth0 as the underlying interface. 
sudo ip link add ipsec1 type xfrm dev eth0 if_id 43 # Create an XFRM virtual network interface for Tunnel 2, with the interface ID 43 and the public interface eth0 as the underlying interface. 
sudo ip link set ipsec0 up # Start the XFRM virtual network interface for Tunnel 1. 
sudo ip link set ipsec1 up # Start the XFRM virtual network interface for Tunnel 2.

      3. Run the following command to view the absolute path of the script: 

        sudo find / -name xfrm.sh

      4. Add the absolute path to the /etc/rc.d/rc.local file. 

        sudo vi /etc/rc.d/rc.local # Open the /etc/rc.d/rc.local file. 
Press the I key to enter the edit mode.
/root/xfrm.sh  # Add the absolute path to the /etc/rc.d/rc.local file. 
Press the Esc key, enter :wq, and then press the Enter key to save the change.

      5. Run the following commands to make the rc.local and xfrm.sh files executable: 

        sudo chmod +x /etc/rc.d/rc.local
sudo chmod +x /root/xfrm.sh

    3. Create two scripts for strongSwan and configure routes to forward traffic.

      1. Create and edit /root/connect_1.sh

        vi /root/connect_1.sh

      2. Add and save the following script.

        #!/usr/bin/env bash
if [ x"$PLUTO_VERB" == "xup-client" ]; then
	echo "ip route add 172.16.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route add 172.16.0.0/16 dev ipsec0 metric 100
elif [ x"$PLUTO_VERB" == "xdown-client" ]; then
	echo "ip route del 172.16.0.0/16 dev ipsec0" >> /root/vpn_route.log;ip route del 172.16.0.0/16 dev ipsec0 metric 100
fi

        Script purpose: If the status of Tunnel 1 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 172.16.0.0/16 through the XFRM virtual network interface of Tunnel 1. In addition, set the metric value of this route to 100 to assign this route a higher priority than the route that points to the XFRM virtual network interface of Tunnel 2. If the status of Tunnel 1 is DOWN, withdraw the route.

      3. Create and edit /root/connect_2.sh

        vi /root/connect_2.sh

      4. Add and save the following script.

        #!/usr/bin/env bash
if [ x"$PLUTO_VERB" == "xup-client" ]; then
	echo "ip route add 172.16.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route add 172.16.0.0/16 dev ipsec1 metric 101
elif [ x"$PLUTO_VERB" == "xdown-client" ]; then
	echo "ip route del 172.16.0.0/16 dev ipsec1" >> /root/vpn_route.log;ip route del 172.16.0.0/16 dev ipsec1 metric 101
fi

        Script purpose: If the status of Tunnel 2 is UP, add a route to transmit traffic from the data center to the VPC whose CIDR block is 172.16.0.0/16 through the XFRM virtual network interface of Tunnel 2. In addition, set the metric value of this route to 101 to assign this route a lower priority than the route that points to the XFRM virtual network interface of Tunnel 1. If the status of Tunnel 2 is DOWN, withdraw the route.

      5. Run the following command to make the scripts executable:

        sudo chmod +x /root/connect_1.sh
sudo chmod +x /root/connect_2.sh

    4. Modify the strongSwan configuration file.

      1. Back up the original strongSwan configuration file. 

        mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak

      2. Create a strongSwan configuration file. 

        vi /etc/strongswan/swanctl/swanctl.conf

      3. Add and save the following configurations based on the example.

        connections {
   vco1 {                            # The VPN configurations of IPsec-VPN Tunnel 1.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 10.0.0.1        # The IP address of the first local NIC.
      remote_addrs = 3.3.XX.XX     # Set the remote address of Tunnel 1 to the VPN gateway address of Tunnel 1 on Alibaba Cloud, which is IPsec Address 1. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifetime of Tunnel 1, which must be the same as that specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. 
      over_time = 1800               
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 1.1.XX.XX              # The public IP address of the first local egress. This value must be the same as RemoteId of Tunnel 1. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 3.3.XX.XX              # IPsec Address 1 on the Alibaba Cloud side. This value must be the same as LocalId of Tunnel 1. 
      }
      children {
         vco_child1 {
            local_ts  = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            remote_ts = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            mode = tunnel
            rekey_time = 85500
            life_time = 86400        # The SA lifetime of Tunnel 1, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024   # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 

            if_id_out = 42           # Specify that the XFRM virtual network interface of Tunnel 1 is used as the egress port and ingress port of Tunnel 1. 
            if_id_in = 42
            updown = /root/connect_1.sh         # Execute the /root/connect_1.sh script to configure routing based on the UP/DOWN status of Tunnel 1. 
         }
      }
   }
  vco2 {                             # The VPN configurations of IPsec-VPN Tunnel 2.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 10.0.0.2        # The IP address of the second local NIC. 
      remote_addrs = 4.4.XX.XX     # Set the remote address of Tunnel 2 to the VPN gateway address of Tunnel 2 on Alibaba Cloud, which is IPsec address 2. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifetime of Tunnel 2, which must be the same as that specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. 
      over_time = 1800               # 
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IKE configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 2.2.XX.XX              # The public IP address of the second local egress. This value must be the same as RemoteId of Tunnel 2. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 4.4.XX.XX              # IPsec Address 2 on the Alibaba Cloud side. This value must be the same as LocalId of Tunnel 2. 
      }
      children {
         vco_child2 {
            local_ts  = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0.
            remote_ts = 0.0.0.0/0    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0.
            mode = tunnel 
            rekey_time = 85500
            life_time = 86400        # The SA lifetime of Tunnel 2, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024     # The encryption algorithm, authentication algorithm, and DH group of Tunnel 2, which must be the same as those specified in the IPsec configurations of Tunnel 2 on Alibaba Cloud. A value of group2 indicates modp1024. 
            if_id_out = 43           # Specify that the XFRM virtual network interface of Tunnel 2 is used as the egress port and ingress port of Tunnel 2. 
            if_id_in = 43
            updown = /root/connect_2.sh           # Execute the /root/connect_2.sh script to configure routing based on the UP/DOWN status of Tunnel 2. 
         }
      }
   }
}

secrets {
   ike-vco1 {
      secret = ChangeMe***            # The PSK of Tunnel 1, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. 
   }
   ike-vco2 {
      secret = ChangeMe***            # The PSK of Tunnel 2, which must be the same as that configured for Tunnel 2 on Alibaba Cloud. 
   }
}

    5. Restart the strongSwan process.

      vi /etc/strongswan/swanctl/swanctl.conf

    6. View routes

      route -n

      image

    7. Check the tunnel status.

      watch swanctl --list-sas

      imageAs shown in the figure, an IPsec-VPN connection is established between the strongSwan device and the VPN gateway.

    5. Test the connectivity and high availability.

    1. Test the connectivity between the strongSwan device and the VPC.

      If echo reply packets are returned after you ping ECS instances in the VPC from the strongSwan device, the connection is established. 

      ping <The IP address of an ECS instance in the VPC>

    2. Test the high availability of the IPsec-VPN connection.

      1. Close the active tunnel when the connection is up.

        You can close the active tunnel by modifying the pre-shared key of the active tunnel. The active tunnel is closed when the two sides of the tunnel use different pre-shared keys.

      2. After the active tunnel is closed, you can run the ping command to check the connectivity. If echo reply packets are returned after you ping an ECS instance, it indicates that the standby tunnel takes over after the active tunnel is down.

    FAQ

    Is IKEv1 supported by IPsec-VPN connections created by using strongSwan?

    Yes.

    To use IKEv1, specify version = 1 when you configure the /etc/strongswan/swanctl/swanctl.conf file.

    How do I specify protected data flows?

    To specify protected data flows, add CIDR blocks as described in the following code block when you configure the /etc/strongswan/swanctl/swanctl.conf file. Make sure that protected data flows are specified for the IPsec-VPN connection on the Alibaba Cloud side.

    If you need to specify multiple CIDR blocks on the data center side or Alibaba Cloud side, the strongSwan device and the IPsec-VPN connection on the Alibaba Cloud side must use IKEv2. 

    children {
         vco_child1 {
            local_ts  = 192.168.20.0/24,192.168.50.0/24    # The CIDR block of the data center. 
            remote_ts = 10.0.0.0/16    # The CIDR block of the VPC. 
         }
}

    How do I configure a strongSwan device whose NIC is assigned a public IP address?

    In such non-NAT scenarios, the visible IP addresses on the strongSwan device are public IP addresses. You need to change the local_addrs field of each tunnel in the /etc/strongswan/swanctl/swanctl.conf file to the corresponding public IP address. 

    connections {
   vco1 {                            
      local_addrs  = 1.1.XX.XX     # The public IP address assigned to the NIC of the strongSwan device.
   }
}

    How do I configure the single-tunnel mode?

    Important

    If your VPN gateway supports only single-tunnel IPsec-VPN connections, we recommend that you upgrade your VPN gateway to enable the dual-tunnel mode. IPsec-VPN connections in dual-tunnel mode support disaster recovery across zones. This effectively enhances the high availability of the network. For more information, see Upgrade a VPN gateway to enable the dual-tunnel mode.

    Click to expand

    Configure a FortiGate firewall to use a single tunnel

    Scenario

    The following scenario is an example. You can configure strongSwan on an on-premises gateway to establish dual-tunnel IPsec-VPN connections to Alibaba Cloud.

    image

    Subnetting

    Data center

    Alibaba Cloud

    • VPC CIDR block: 172.16.0.0/16

      • vSwitch1 CIDR block: 172.16.1.0/24

      • vSwitch2 CIDR block: 172.16.2.0/24

    • VPN gateway

      • IPsec address: 3.3.XX.XX

        Note

        After you create a VPN gateway, the system automatically assigns an IPsec address to the VPN gateway.

    VPN configurations

    Make sure that the configurations on the strongSwan device and on Alibaba Cloud are the same.

    • Pre-shared key: ChangeMe***

    • IKE configurations

      • IKE version: ikev2

      • Negotiation mode: main

      • Encryption algorithm: aes

      • Authentication algorithm: sha1

      • DH group: group2

      • SA lifetime (seconds): 86400

    • IPsec configurations:

      • Encryption algorithm: aes

      • Authentication algorithm: sha1

      • DH group: group2

      • SA lifetime (seconds): 86400

    Preparations on Alibaba Cloud

    Before you configure the strongSwan device, perform the following steps on the Alibaba Cloud side: Create a VPN gateway, Create a customer gateway, Create an IPsec-VPN connection, and Configure VPN gateway routes. For more information, see Connect a VPC to a data center in single-tunnel mode.

    When you create an IPsec-VPN connection, set Routing Mode to Protected Data Flow.

    • For the local CIDR block, enter the CIDR block of the VPC, which is 172.16.0.0/16.

    • For the peer CIDR block, enter the CIDR block of the data center, which is 10.0.0.0/16.

    Configure the strongSwan device

    Note

    In the following example, a strongSwan device that runs CentOS Stream 9 64-bit is used. For more information about other operating systems, see strongSwan documentation.

    1. Configure an Allow firewall policy

    Configure an Allow policy for ESP (IP protocol 50) on UDP port 500 and UDP port 4500. 

    iptables -I INPUT -p 50 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT 
iptables -I INPUT -p udp --dport 4500 -j ACCEPT

    2. Enable traffic forwarding

    echo 1 > /proc/sys/net/ipv4/ip_forward
    Important

    The preceding command is a temporary command. After you restart the strongSwan device, you must run the command again. If you want to enable traffic forwarding for the strongSwan device permanently, perform the following steps.

    Click here to expand the procedure

    1. Open the /etc/sysctl.conf file. 

      vi /etc/sysctl.conf

    2. Add the following configuration to the file: 

      net.ipv4.ip_forward = 1

    3. Run the following command to apply the change: 

      sudo sysctl -p

    3. Install strongSwan

    dnf install epel-release -y
dnf install strongswan-5.9.10 -y

    4. Configure the tunnel

    Start configuration based on the strongSwan protected data flows.

    1. Back up the original strongSwan configuration file.

      mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak

    2. Create a strongSwan configuration file.

      vi /etc/strongswan/swanctl/swanctl.conf

    3. Add and save the following configurations based on the example:

      connections {
   vco1 {                            # The VPN configurations of IPsec-VPN Tunnel 1.
      version = 2                    # The IKE version, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. A value of 2 indicates IKEv2. 
      local_addrs  = 10.0.0.1        # The IP address of the local NIC.
      remote_addrs = 3.3.XX.XX     # Set the remote address of Tunnel 1 to the VPN gateway address of Tunnel 1 on Alibaba Cloud, which is IPsec Address 1. 
      dpd_delay = 10
      rekey_time = 84600             # The SA lifetime of Tunnel 1, which must be the same as that specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. 
      over_time = 1800               
      proposals = aes-sha1-modp1024  # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IKE configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
      encap = yes

      local {
         auth = psk                  # Set the authentication algorithm of the data center to PSK. 
         id = 1.1.XX.XX              # The IP address of the Internet egress. This value must be the same as RemoteId of Tunnel 1. 
      }
      remote {
         auth = psk                  # Set the authentication algorithm of the VPC to PSK. 
         id = 3.3.XX.XX              # The IPsec address on the Alibaba Cloud side. This value must be the same as LocalId of Tunnel 1. 
      }
      children {
         vco_child1 {
            local_ts  = 10.0.0.0/16    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            remote_ts = 172.16.0.0/16    # Specify that the CIDR block of the protected data flows for the destination-based route mode on Alibaba Cloud is 0.0.0.0/0. 
            mode = tunnel
            rekey_time = 85500
            life_time = 86400        # The SA lifetime of Tunnel 1, which must be the same as that specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. 
            dpd_action = restart
            start_action = start
            close_action = start
            esp_proposals = aes-sha1-modp1024   # The encryption algorithm, authentication algorithm, and DH group of Tunnel 1, which must be the same as those specified in the IPsec configurations of Tunnel 1 on Alibaba Cloud. A value of group2 indicates modp1024. 
         }
      }
   }

}

secrets {
   ike-vco1 {
      secret = ChangeMe***            # The PSK of Tunnel 1, which must be the same as that configured for Tunnel 1 on Alibaba Cloud. 
   }
}

    4. Restart the strongSwan process.

      systemctl restart strongswan

    5. Check the tunnel status. 

      watch swanctl --list-sas

      image

      As shown in the figure, an IPsec-VPN connection is established between the strongSwan device and the VPN gateway.

    5. Test the connectivity

    Test the connectivity between the strongSwan device and the VPC:

    If echo reply packets are returned after you ping ECS instances in the VPC from the strongSwan device, the connection is established. 

    ping <The IP address of an ECS instance in the VPC>