Home / server / Questions / 906111
Accepted
Christian
Asked: 2018-04-06 00:21:38 +0800 CST

StrongSwan build and run at startup

  • 772

I've been asked to deploy an IPSEC server for a project and after doing some research, StrongSwan looks like a good candidate. Since this project requires top security, I decided to install the latest version of StrongSwan (5.6.2) as it seems to fix a few security issues and what-not.

So I've spent the past few days working out how to configure it, which I have been able to do using /etc/ipsec.conf, however, on reading StrongSwan's website, is now a legacy way of setting it up.

The recommended way of configuring strongSwan is via the powerful vici interface and the swanctl command line tool. The swanctl.conf configuration file used by swanctl is stored together with certificates and corresponding private keys in the swanctl directory. Global strongSwan settings as well as plugin-specific configurations are defined in strongswan.conf.

Alternatively the legacy ipsec stroke interface and its ipsec.conf and ipsec.secrets configuration files may be used.

So now I am in the process of trying to change the configuration to use a file stored in /etc/swanctl/conf.d instead...

So my question is this:

Does anyone know how to build StrongSwan from source and have it start with the Server (Ubuntu 16.04) and use the new configuration method?

My configure line looks like this

./configure --prefix=/usr --sysconfdir=/etc \
  --enable-systemd --enable-swanctl \
  --disable-charon --disable-stroke --disable-scepclient \
  --enable-gcm --enable-eap-tls

but this still doesnt start with the Server, nor can I find any strongswan or strongswan-swanctl for startup.

My current ipsec.conf looks like this

conn %default
 auto=add
 forceencaps=yes
 keyexchange=ikev2
 keyingtries=1
 ike=aes256-sha256-modp2048!
 esp=aes256-sha256,aes128-sha256!
 dpdaction=clear
 inactivity=120s
 leftsendcert=always
 leftcert=vpn-server-cert.pem
 leftsubnet=10.0.0.0/20
 leftid=@vpnserver
 rightsourceip=172.16.0.0/12
 eap_identity=%identity

conn ikev2-cert
 rightauth=eap-tls

which 'I think' translates to this

connections {
   rw {
      version = 2
      send_certreq = yes
      proposals = aes256-sha256-modp2048!
      encap = yes
      dpd_delay = 30s
      local {
         auth = eap-tls 
         certs = vpn-server-cert.pem
         id = vpnserver
      }
      remote {
         auth = eap-tls 
      }
      children {
         net {
            local_ts  = 172.16.0.0/12 
            esp_proposals = aes256-sha256,aes128-sha256!
            inactivity = 120s
         }
      }
   }
}
strongswan

2 Answers

  1. Best Answer

    If you configure with --enable-systemd the charon-systemd daemon will be built and a systemd service unit named strongswan will be installed. You can manage that (like any other systemd unit) with systemctl. So to start it at system boot enable the unit with:

    sudo systemctl enable strongswan.service

    (Note: The systemd service unit was called strongswan-swanctl before 5.8.0.)

    Also, a more accurate translation of the config is the following:

    connections {
   rw {
      version = 2
      send_cert = always
      proposals = aes256-sha256-modp2048
      encap = yes
      pools = rw
      # dpd_delay = 30s you didn't specify this in your ipsec.conf and it seems rather short for roadwarriors
      local {
         certs = vpn-server-cert.pem
         id = vpnserver
      }
      remote {
         auth = eap-tls 
         eap_id = %any
      }
      children {
         net {
            local_ts  = 10.0.0.0/20
            esp_proposals = aes256-sha256,aes128-sha256
            inactivity = 120s
         }
      }
   }
}

pools {
   rw {
     addrs = 172.16.0.0/12 
   }
}
    • 6

  2. I just wanted to add something on top of what "ecdsa" anwser above.

    For the people that have just installed strongswan using the ubuntu packages and not with ./configure ... build.

    If you can't find the service "strongswan-swanctl" or you can't install it, the package name in ubuntu is "charon-systemd".

    So to install the package:

    sudo apt-get install charon-systemd

    And to enable the service:

    systemctl enable strongswan-swanctl
    • 4