Using strongSwan to Configure On- and Off-Cloud Communication
Scenarios
The VPC on the cloud has VPN gateways and VPN connections. Servers in customer data center are installed with the IPsec software to interconnect with the cloud. One-to-one NAT mapping has been configured between the customer server IP addresses and public IP addresses on the network egress.
Topology Connection
Figure 1 shows the topology connection and policy negotiation configurations.
The VPN gateway IP address of the VPC is 11.11.11.11 and the local subnet is 192.168.200.0/24.
The NAT mapping IP address of the customer server is 22.22.22.22 and the local subnet is 192.168.222.0/24.
The ECS IP address and the customer server IP address are 192.168.200.200 and 192.168.222.222, respectively.
The negotiation parameters of the VPN connection use the default configurations defined on Huawei Cloud.
Configuration Procedure
The configurations may vary according to the strongSwan version. The following uses strongSwan 5.7.2 as an example to describe the VPN configurations of strongSwan in the Linux system.
- Install the IPsec VPN client.
yum install strongswan
During the installation, select Y. The installation is complete when the message "Complete!" is displayed. The configuration files of strongSwan are stored in the /etc/strongswan directory. During the configuration, you only need to edit the IPsec.conf and IPsec.secrets files.
- Enable IPv4 forwarding.
vim /etc/sysctl.conf
- Add the following content to this file:
net.ipv4.ip_forward = 1
- Run the /sbin/sysctl -p command for the forwarding configuration to take effect.
- Add the following content to this file:
- Configure iptables.
Run the iptables -L command to check whether the firewall is disabled or the data flow forwarding is allowed.
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
- Configure the pre-shared key.
vim /etc/strongswan/IPsec.secrets # Edit the IPsec.secrets file. 22.22.22.22 11.11.11.11 : PSK "IPsec-key"
Format: IP address for connection+Space+Customer gateway IP address+Space+English colon (:)+Space+PSK (uppercase)+Pre-shared key. There are spaces on both sides of the colon. The key is enclosed in double quotation marks.
- Configure the IPsec connection.
vim /etc/strongswan/IPsec.conf
Add the following content to this file:
config setup conn strong_IPsec # Set the connection name to strong_IPsec. auto=route # The value can be add, route, or start. type=tunnel # Enable the tunnel mode. compress=no # Disable compression. leftauth=psk # Set the local authentication mode to PSK. rightauth=psk # Set the remote authentication mode to PSK. ikelifetime=86400s # Set the lifetime of IKE SAs. lifetime=3600s # Set the lifetime of IPsec SAs. keyexchange=ikev1 # Set the IKE version to version 1. ike=aes128-sha1-modp1536! # Set the algorithm and group in the IKE policy based on the configuration of the VPN gateway. esp=aes128-sha1-modp1536! # Set the algorithm and group in the IPsec policy based on the configuration of the VPN gateway. leftid=22.22.22.22 # Set the local ID. left=192.168.222.222 # Set the local IP address. The value must be the actual host IP address in the NAT scenario. leftsubnet=192.168.222.0/24 # Set the local subnet. rightid=11.11.11.11 # Set the ID of the VPN gateway. right=11.11.11.11 # Set the VPN gateway IP address. rightsubnet=192.168.200.0/24 # Set the subnet of the VPN gateway.
For details about the bits of DH groups used by Huawei Cloud VPN, see What Are the Bits of the DH Groups Used by Huawei Cloud VPN?.
- Start the service.
service strongswan stop # Stop the service.
service strongswan start # Start the service.
service strongswan restart # Restart the service.
strongswan stop # Disable the connection.
strongswan start # Enable the connection.
Restart the service and enable the connection after each modification.
Configuration Verification
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.5.1.el7.x86_64, x86_64): uptime: 5 minutes, since Apr 24 19:25:29 2019 malloc: sbrk 1720320, mmap 0, used 593088, free 1127232 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constra ints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly x cbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity ea p-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap -peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters Listening IP addresses:192.168.222.222 Connections: strong_IPsec: 192.168.222.222...11.11.11.11 IKEv1 strong_IPsec: local: [22.22.22.22] uses pre-shared key authentication strong_IPsec: remote: [11.11.11.11] uses pre-shared key authentication strong_IPsec: child: 192.168.222.0/24 === 192.168.200.0/24 TUNNEL Routed Connections: strong_IPsec{1}: ROUTED, TUNNEL, reqid 1 strong_IPsec{1}: 192.168.222.0/24 === 192.168.200.0/24 Security Associations (0 up, 1 connecting): strong_IPsec[1]: CONNECTING, 192.168.222.222[%any]...11.11.11.11[%any] strong_IPsec[1]: IKEv1 SPIs: c3090f6512ec6b7d_i* 0000000000000000_r strong_IPsec[1]: Tasks queued: QUICK_MODE QUICK_MODE strong_IPsec[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD Ping the server with IPsec client installed in VPC 2 from the VPC 1. ping 192.168.222.222 PING 192.168.222.222 (192.168.222.222) 56(84) bytes of data. 64 bytes from 192.168.222.222: icmp_seq=1 ttl=62 time=3.07 ms 64 bytes from 192.168.222.222: icmp_seq=2 ttl=62 time=3.06 ms 64 bytes from 192.168.222.222: icmp_seq=3 ttl=62 time=3.98 ms 64 bytes from 192.168.222.222: icmp_seq=4 ttl=62 time=3.04 ms 64 bytes from 192.168.222.222: icmp_seq=5 ttl=62 time=3.11 ms 64 bytes from 192.168.222.222: icmp_seq=6 ttl=62 time=3.71 ms
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot