Help Center> Virtual Private Network> Administrator Guide> Classic VPN> Using strongSwan to Configure On- and Off-Cloud Communication
Updated on 2024-02-29 GMT+08:00
View PDF

Using strongSwan to Configure On- and Off-Cloud Communication

Scenarios

The VPC on the cloud has VPN gateways and VPN connections. Servers in customer data center are installed with the IPsec software to interconnect with the cloud. One-to-one NAT mapping has been configured between the customer server IP addresses and public IP addresses on the network egress.

Topology Connection

Figure 1 shows the topology connection and policy negotiation configurations.

The VPN gateway IP address of the VPC is 11.11.11.11 and the local subnet is 192.168.200.0/24.

The NAT mapping IP address of the customer server is 22.22.22.22 and the local subnet is 192.168.222.0/24.

The ECS IP address and the customer server IP address are 192.168.200.200 and 192.168.222.222, respectively.

The negotiation parameters of the VPN connection use the default configurations defined on Huawei Cloud.

Figure 1 Topology connection and policy negotiation configuration information

Configuration Procedure

The configurations may vary according to the the strongSwan version. The following uses strongSwan 5.7.2 as an example to describe the VPN configurations of strongSwan in the Linux system.

  1. Install the IPsec VPN client.

    yum install strongswan

    During the installation, select Y. The installation is complete when the message "Complete!" is displayed. The configuration files of strongSwan are stored in the /etc/strongswan directory. During the configuration, you only need to edit the IPsec.conf and IPsec.secrets files.

  2. Enable IPv4 forwarding.

    vim /etc/sysctl.conf

    1. Add the following content to this file:
      net.ipv4.ip_forward = 1
    2. Run the /sbin/sysctl -p command for the forwarding configuration to take effect.

  3. Configure iptables.

    Run the iptables -L command to check whether the firewall is disabled or the data flow forwarding is allowed. 
    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination 
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination 
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

  4. Configure the pre-shared key.

    vim /etc/strongswan/IPsec.secrets          # Edit the IPsec.secrets file.
22.22.22.22 11.11.11.11 : PSK "IPsec-key"

    Format: IP address for connection+Space+Customer gateway IP address+Space+English colon (:)+Space+PSK (uppercase)+Pre-shared key. There are spaces on both sides of the colon. The key is enclosed in double quotation marks.

  5. Configure the IPsec connection.

    vim /etc/strongswan/IPsec.conf

    Add the following content to this file:

    config setup
conn strong_IPsec                               # Set the connection name to strong_IPsec.
  auto=route                                    # The value can be add, route, or start.
   type=tunnel                                   # Enable the tunnel mode.
  compress=no                                   # Disable compression.
  leftauth=psk                                  # Set the local authentication mode to PSK.
  rightauth=psk                                 # Set the remote authentication mode to PSK.
  ikelifetime=86400s                            # Set the lifetime of IKE SAs.
  lifetime=3600s                                # Set the lifetime of IPsec SAs.
  keyexchange=ikev1                             # Set the IKE version to version 1.
  ike=aes128-sha1-modp1536!                     # Set the algorithm and group in the IKE policy based on the configuration of the VPN gateway.
  esp=aes128-sha1-modp1536!                     # Set the algorithm and group in the IPsec policy based on the configuration of the VPN gateway.
  leftid=22.22.22.22                            # Set the local ID.
  left=192.168.222.222                          # Set the local IP address. The value must be the actual host IP address in the NAT scenario.
  leftsubnet=192.168.222.0/24                   # Set the local subnet.
  rightid=11.11.11.11                           # Set the ID of the VPN gateway.
  right=11.11.11.11                             # Set the VPN gateway IP address.
  rightsubnet=192.168.200.0/24                  # Set the subnet of the VPN gateway.

    For details about the bits of DH groups used by Huawei Cloud VPN, see What Are the Bits of the DH Groups Used by Huawei Cloud VPN?.

  6. Start the service.

    service strongswan stop # Stop the service.

    service strongswan start # Start the service.

    service strongswan restart # Restart the service.

    strongswan stop # Disable the connection.

    strongswan start # Enable the connection.

    Restart the service and enable the connection after each modification.

Configuration Verification

Run the strongswan statusall command to query the connection start time. 
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.5.1.el7.x86_64, x86_64):
  uptime: 5 minutes, since Apr 24 19:25:29 2019
  malloc: sbrk 1720320, mmap 0, used 593088, free 1127232
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constra
ints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly x
cbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity ea
p-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap
-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:192.168.222.222
Connections:
strong_IPsec:  192.168.222.222...11.11.11.11  IKEv1
strong_IPsec:   local:  [22.22.22.22] uses pre-shared key authentication
strong_IPsec:   remote: [11.11.11.11] uses pre-shared key authentication
strong_IPsec:   child:  192.168.222.0/24 === 192.168.200.0/24 TUNNEL
Routed Connections:
strong_IPsec{1}:  ROUTED, TUNNEL, reqid 1
strong_IPsec{1}:   192.168.222.0/24 === 192.168.200.0/24
Security Associations (0 up, 1 connecting):
strong_IPsec[1]: CONNECTING, 192.168.222.222[%any]...11.11.11.11[%any]
strong_IPsec[1]: IKEv1 SPIs: c3090f6512ec6b7d_i* 0000000000000000_r
strong_IPsec[1]: Tasks queued: QUICK_MODE QUICK_MODE 
strong_IPsec[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
Ping the server with IPsec client installed in VPC 2 from the VPC 1.
ping 192.168.222.222
PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data.
64 bytes from 192.168.222.222: icmp_seq=1 ttl=62 time=3.07 ms
64 bytes from 192.168.222.222: icmp_seq=2 ttl=62 time=3.06 ms
64 bytes from 192.168.222.222: icmp_seq=3 ttl=62 time=3.98 ms
64 bytes from 192.168.222.222: icmp_seq=4 ttl=62 time=3.04 ms
64 bytes from 192.168.222.222: icmp_seq=5 ttl=62 time=3.11 ms
64 bytes from 192.168.222.222: icmp_seq=6 ttl=62 time=3.71 ms
Parent topic: Classic VPN