Help Center/
Virtual Private Network/
Administrator Guide/
S2C Enterprise Edition VPN/
Interconnection with strongSwan/
Policy-based Mode/
Configuration in the On-Premises Data Center
Updated on 2025-08-19 GMT+08:00
Configuration in the On-Premises Data Center
Notes and Constraints
This section uses a strongSwan device that runs the CentOS 8.2 64-bit operating system as an example. For other operating systems, see the official documentation of strongSwan.
Procedure
- Download the strongSwan installation package from the official website.
The installation and configuration methods may vary according to the strongSwan version. This example uses strongSwan 5.9.10 as an example.
- Install the strongSwan software.
- Log in to the CentOS 8.2 operating system as the root user and open the CLI window.
- Upload the strongSwan installation package to a directory on the CentOS operating system, for example, /opt/.
- Run the following command to go to the directory where the installation package is stored:
- Run the following command to install strongSwan:
rpm –ivh strongswan-5.9.10-1.el8.x86_64.rpm --force --nodeps
strongswan-5.9.10-1.el8.x86_64.rpm is the installation package name. Replace it with the actual one.
If the following information in bold is displayed, the installation is successful.Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:strongswan-5.9.10-1.el8 ################################# [100%]
- Run the following command to check the strongSwan version:
The following information in bold is displayed:
Linux strongSwan U5.9.10/K4.18.0-348.7.1.el8_5.x86_64 University of Applied Sciences Rapperswil, Switzerland
- Configure firewall policies.
- Run the following command to permit the ESP protocol (IP protocol number: 50):
- Run the following command to permit UDP port 500:
- Run the following command to permit UDP port 4500:
- Enable the traffic forwarding function.
Run the following command to enable traffic forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
The preceding command is a temporary command. After the strongSwan device is restarted, you need to run this command again. If you want to permanently enable traffic forwarding for the strongSwan device, perform the following operations:- Run the following command to open the /etc/sysctl.conf file:
vi /etc/sysctl.conf
- Add the following configuration to the file:
net.ipv4.ip_forward = 1
- Press Esc, enter :wq, and press Enter.
The system saves the configuration and exits the editor.
- Run the following command for the configuration to take effect:
- Run the following command to open the /etc/sysctl.conf file:
- Configure dual tunnels.
- Run the following command to back up the strongSwan configuration file:
mv /etc/strongswan/swanctl/swanctl.conf /etc/strongswan/swanctl/swanctl.conf.bak
- Run the following command to open the strongSwan configuration file:
- Add the following configurations according to the data plan:
connections { vco1 { # Add the VPN configuration of IPsec VPN tunnel 1. version = 2 # Specify the IKE version, which must be the same as that configured for Huawei Cloud connection 1. The value 2 indicates IKEv2. local_addrs = 172.16.0.195 # Specify the local IP address. remote_addrs = 1.1.1.2 # Set the remote IP address of tunnel 1 to the gateway IP address of Huawei Cloud connection 1. dpd_delay = 10 rekey_time = 86400 # Specify the SA lifetime of tunnel 1, which must be the same as that specified in the IKE configuration of Huawei Cloud connection 1. over_time = 1800 proposals = aes128-sha1-modp1024 # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 1, which must be the same as those specified in the IKE configuration of Huawei Cloud connection 1. modp1024 corresponds to DH group 2. encap = yes local { auth = psk # Set the local authentication mode to PSK. id = 1.1.1.1 # Specify the public IP address of the local egress. } remote { auth = psk # Set the authentication mode of Huawei Cloud to PSK. id = 1.1.1.2 # Specify the active EIP of Huawei Cloud connection 1. } children { vco_child1 { local_ts = 172.16.0.0/16 # Set the private CIDR block of the local protected data flows to 172.16.0.0/16. remote_ts = 192.168.0.0/24 # Set the VPC CIDR block of the protected data flows at the Huawei Cloud site to 192.168.0.0/24. mode = tunnel rekey_time = 85500 life_time = 86400 # Specify the SA lifetime of tunnel 1, which must be the same as that specified in the IPsec configuration of Huawei Cloud connection 1. dpd_action = restart start_action = start close_action = start esp_proposals = aes128-sha1-modp1024 # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 1, which must be the same as those specified in the IPsec configuration of Huawei Cloud connection 1. modp1024 corresponds to DH group 2. } } } vco2 { # Add the VPN configuration of IPsec VPN tunnel 2. version = 2 # Specify the IKE version, which must be the same as that configured for Huawei Cloud connection 2. The value 2 indicates IKEv2. local_addrs = 172.16.0.195 # Specify the local IP address. remote_addrs = 2.2.2.2 # Set the remote IP address of tunnel 2 to the gateway IP address of Huawei Cloud connection 2. dpd_delay = 10 rekey_time = 84600 # Specify the SA lifetime of tunnel 2, which must be the same as that specified in the IKE configuration of Huawei Cloud connection 2. over_time = 1800 proposals = aes128-sha1-modp1024 # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 2, which must be the same as those specified in the IKE configuration of Huawei Cloud connection 2. modp1024 corresponds to DH group 2. encap = yes local { auth = psk # Set the local authentication mode to PSK. id = 1.1.1.1 # Specify the public IP address of the local egress. } remote { auth = psk # Set the authentication mode of Huawei Cloud to PSK. id = 2.2.2.2 # Specify the standby EIP of Huawei Cloud connection 2. } children { vco_child2 { local_ts = 172.16.0.0/16 # Set the private CIDR block of the local protected data flows to 172.16.0.0/16. remote_ts = 192.168.0.0/24 # Set the VPC CIDR block of the protected data flows at the Huawei Cloud site to 192.168.0.0/24. mode = tunnel rekey_time = 85500 life_time = 86400 # Specify the SA lifetime of tunnel 2, which must be the same as that specified in the IPsec configuration of Huawei Cloud connection 2. dpd_action = restart start_action = start close_action = start esp_proposals = aes-sha1-modp1024 # Specify the encryption algorithm, authentication algorithm, and DH algorithm of tunnel 2, which must be the same as those specified in the IPsec configuration of Huawei Cloud connection 2. modp1024 corresponds to DH group 2. } } } } secrets { ike-vco1 { secret = Test@123 # Specify the PSK of tunnel 1, which must be the same as that configured for Huawei Cloud connection 1. } ike-vco2 { secret = Test@123 # Specify the PSK of tunnel 2, which must be the same as that configured for Huawei Cloud connection 2. } } - Press Esc, enter :wq, and press Enter.
The system saves the configuration and exits the editor.
- Run the following command to restart the strongSwan process:
- Run the following command to check the tunnel status:
Information similar to the following is displayed:
ecs-b6b4-strongswan: Tue Mar 11 16:51:19 2025 plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available vco2: #2, ESTABLISHED, IKEv2, c2786dfe3bc7d7e0_i* 75e148eba08c17e1_r ... ... vco1: #1, ESTABLISHED, IKEv2, 3d3396aa3797c86f_i* d89bb869311c580c_r ... ...
- Run the following command to back up the strongSwan configuration file:
Parent topic: Policy-based Mode
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
