Updated on 2025-08-19 GMT+08:00

Configuration in the On-Premises Data Center

Notes and Constraints

This section uses a strongSwan device that runs the CentOS 8.2 64-bit operating system as an example. For other operating systems, see the official documentation of strongSwan.

Procedure

  1. Download the strongSwan installation package from the official website.

    The installation and configuration methods may vary according to the strongSwan version. This example uses strongSwan 5.9.10 as an example.

  2. Install the strongSwan software.

    1. Log in to the CentOS 8.2 operating system as the root user and open the CLI window.
    2. Upload the strongSwan installation package to a directory on the CentOS operating system, for example, /opt/.
    3. Run the following command to go to the directory where the installation package is stored:

      cd /opt/

    4. Run the following command to install strongSwan:

      rpm –ivh strongswan-5.9.10-1.el8.x86_64.rpm --force --nodeps

      strongswan-5.9.10-1.el8.x86_64.rpm is the installation package name. Replace it with the actual one.

      If the following information in bold is displayed, the installation is successful.
      Verifying...                          ################################# [100%]
      Preparing...                          ################################# [100%]
      Updating / installing...
         1:strongswan-5.9.10-1.el8          ################################# [100%]
    5. Run the following command to check the strongSwan version:

      strongswan version

      The following information in bold is displayed:

      Linux strongSwan U5.9.10/K4.18.0-348.7.1.el8_5.x86_64
      University of Applied Sciences Rapperswil, Switzerland

  3. Configure firewall policies.

    • Run the following command to permit the ESP protocol (IP protocol number: 50):

      iptables -I INPUT -p 50 -j ACCEPT

    • Run the following command to permit UDP port 500:

      iptables -I INPUT -p udp --dport 500 -j ACCEPT

    • Run the following command to permit UDP port 4500:

      iptables -I INPUT -p udp --dport 4500 -j ACCEPT

  4. Enable the traffic forwarding function.

    Run the following command to enable traffic forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    The preceding command is a temporary command. After the strongSwan device is restarted, you need to run this command again. If you want to permanently enable traffic forwarding for the strongSwan device, perform the following operations:
    1. Run the following command to open the /etc/sysctl.conf file:

      vi /etc/sysctl.conf

    2. Add the following configuration to the file:
      net.ipv4.ip_forward = 1
    3. Press Esc, enter :wq, and press Enter.

      The system saves the configuration and exits the editor.

    4. Run the following command for the configuration to take effect:

      sudo sysctl -p

  5. Configure dual tunnels.

    1. Run the following command to back up the strongSwan configuration file:

      mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak

    2. Run the following command to open the strongSwan configuration file:

      vi /etc/strongswan/swanctl/swanctl.conf

    3. Add the following configurations according to the data plan:
      connections {
         vco1 {                  # Add the VPN configuration of IPsec VPN tunnel 1.
            version = 2          # Specify the IKE version, which must be the same as that configured for Huawei Cloud connection 1. The value 2 indicates IKEv2.
            local_addrs  = 172.16.0.195         # Specify the local IP address.
            remote_addrs = 1.1.1.2          # Set the remote IP address of tunnel 1 to the gateway IP address of Huawei Cloud connection 1.
            dpd_delay = 10
            rekey_time = 86400               # Specify the SA lifetime of tunnel 1, which must be the same as that specified in the IKE configuration of Huawei Cloud connection 1.
            over_time = 1800               
            proposals = aes128-sha1-modp1024   # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 1, which must be the same as those specified in the IKE configuration of Huawei Cloud connection 1. modp1024 corresponds to DH group 2.
            encap = yes
      
            local {
               auth = psk              # Set the local authentication mode to PSK.
               id = 1.1.1.1           # Specify the public IP address of the local egress.
            }
            remote {
               auth = psk              # Set the authentication mode of Huawei Cloud to PSK.
               id = 1.1.1.2            # Specify the active EIP of Huawei Cloud connection 1.
            }
            children {
               vco_child1 { 
                  local_ts  = 172.16.0.0/16     # Set the private CIDR block of the local protected data flows to 172.16.0.0/16.
                  remote_ts = 192.168.0.0/24     # Set the VPC CIDR block of the protected data flows at the Huawei Cloud site to 192.168.0.0/24.
                  mode = tunnel
                  rekey_time = 85500
                  life_time = 86400          # Specify the SA lifetime of tunnel 1, which must be the same as that specified in the IPsec configuration of Huawei Cloud connection 1.
                  dpd_action = restart
                  start_action = start
                  close_action = start
                  esp_proposals = aes128-sha1-modp1024   # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 1, which must be the same as those specified in the IPsec configuration of Huawei Cloud connection 1. modp1024 corresponds to DH group 2.
               }
            }
         }
        vco2 {                  # Add the VPN configuration of IPsec VPN tunnel 2.
            version = 2          # Specify the IKE version, which must be the same as that configured for Huawei Cloud connection 2. The value 2 indicates IKEv2.
            local_addrs  = 172.16.0.195        # Specify the local IP address.
            remote_addrs = 2.2.2.2      # Set the remote IP address of tunnel 2 to the gateway IP address of Huawei Cloud connection 2.
            dpd_delay = 10
            rekey_time = 84600           # Specify the SA lifetime of tunnel 2, which must be the same as that specified in the IKE configuration of Huawei Cloud connection 2.
            over_time = 1800               
            proposals = aes128-sha1-modp1024       # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 2, which must be the same as those specified in the IKE configuration of Huawei Cloud connection 2. modp1024 corresponds to DH group 2.
            encap = yes
      
            local {
               auth = psk          # Set the local authentication mode to PSK.
               id = 1.1.1.1       # Specify the public IP address of the local egress.
            }
            remote {
               auth = psk           # Set the authentication mode of Huawei Cloud to PSK.
               id = 2.2.2.2         # Specify the standby EIP of Huawei Cloud connection 2.
            }
            children {
               vco_child2 {
                  local_ts  = 172.16.0.0/16     # Set the private CIDR block of the local protected data flows to 172.16.0.0/16.
                  remote_ts = 192.168.0.0/24      # Set the VPC CIDR block of the protected data flows at the Huawei Cloud site to 192.168.0.0/24.
                  mode = tunnel 
                  rekey_time = 85500
                  life_time = 86400        # Specify the SA lifetime of tunnel 2, which must be the same as that specified in the IPsec configuration of Huawei Cloud connection 2.
                  dpd_action = restart
                  start_action = start
                  close_action = start
                  esp_proposals = aes-sha1-modp1024     # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 2, which must be the same as those specified in the IPsec configuration of Huawei Cloud connection 2. modp1024 corresponds to DH group 2.
               }
            }
         }
      }
      
      secrets {
         ike-vco1 {
            secret = Test@123   # Specify the PSK of tunnel 1, which must be the same as that configured for Huawei Cloud connection 1.
         }
         ike-vco2 {
            secret = Test@123   # Specify the PSK of tunnel 2, which must be the same as that configured for Huawei Cloud connection 2.
         }
      }
    4. Press Esc, enter :wq, and press Enter.

      The system saves the configuration and exits the editor.

    5. Run the following command to restart the strongSwan process:

      systemctl restart strongswan

    6. Run the following command to check the tunnel status:

      watch swanctl --list-sas

      Information similar to the following is displayed:

                                           ecs-b6b4-strongswan: Tue Mar 11 16:51:19 2025
      plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available
      vco2: #2, ESTABLISHED, IKEv2, c2786dfe3bc7d7e0_i* 75e148eba08c17e1_r
      ...
      ...
      vco1: #1, ESTABLISHED, IKEv2, 3d3396aa3797c86f_i* d89bb869311c580c_r
      ...
      ...