StrongSwan: Configuring StrongSwan
Setup preface
Even though StrongSwan supports two variants of IPsec, I'm going to limit
myself to one of the two. IKEv1
is rather dated, plus it is the cause of problems in some ways, especially as
far as NAT is
concerned. On top of that the process of negotiating the connection keys is
rather long-winded.
In this regard IKEv2 is much more mature so this should be the variant of your
choice for IPsec connections. However, since StrongSwan supports both, you may
make use of both if necessary – I'm going to limit myself to explaining how to
set up IKEv2 connections.
strongswan.conf
This file defines the behavior of StrongSwan itself. Hiere you can find any settings like the plugins to be loaded, the cryptographic algorithms to be used or even the identities to be used when StrongSwan wants to connect for example to MySQL or a RADIUS server. But the message logging and any internals on how StrongSwan is supposed to deal with IPsec are set here as well.
Various sections that are introduced by a name and enclosed by curly brackets
are defined for this purpose. Additional subsections as well as name-value
pairs can be contained therein and set various parameters.
Please keep in mind that neither certification authorities nor connections can
be defined herein!
ipsec.conf
You can set how StrongSwan is dealing with IPsec connections in this file. For
this purpose you can set global parameters that affect IPsec as a whole, plus
you can define certificate authorities and connection profiles. You can specify
individually for the latter how each certification authority and each
connection is to be treated and are also able to set default values that are
applied to all certification authorities or connections, except when overridden
where required.
This file may contain exactly one section for global settings, but you may
define an arbitrary number of certification authorities and connections.
ipsec.secrets
Here you set the secrets for the access control. You may declare various types
of secrets, from pre-shared keys to cryptograpphic algorithms and extended
authentication schemes to smartcards and
PKCS#12 containers.
The number of secrets contained herein isn't limited.
The configuration
To configure StrongSwan you are required to modify all three files to best
accommodate for your needs. Normally it is necessary to modify
strongswan.conf only onc; afterwards its contents
remain constant as far as possible. Any changes are only required if you intend
to adjust your settings to incorporate new developments or intend to introduce
additional features of StrongSwan.
The other two files have to be touched every time you are defining new
certification authorities or connections or want to remove those that aren't
needed any more. It is also necessary to modify these files when changes need
to be made, e. g. to switch to another authentication method, when you want to
take any subnets behind any endpoints into account, etc. – or simply because
you want to switch modes for a connection.