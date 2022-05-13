strongSwan
This tutorial contains a sample template of the
ipsec.conf file for a working IPsec tunnel configuration established between a Linux machine running strongSwan and Cloudflare’s Magic service.
This
ipsec.conf file is typically located in the
/etc directory of the Linux machine.
Configuration parameters
Phase 1
- Encryption
- AES-CBC with 256-bit key length
- AES-GCM with 256-bit key length
- Integrity
- SHA-256
- Diffie-Hellman group
- DH group 14 (2048-bit MODP group)
- PRF
- SHA-512
Phase 2
- Encryption
- AES with 256-bit key length
- Integrity
- SHA-256
- Diffie-Hellman group
- DH group 14 (2048-bit MODP group)
Configuration template
config setup charondebug="all" uniqueids=yes
conn %default ikelifetime=4h rekey=yes reauth=no keyexchange=ikev2 authby=secret dpdaction=restart closeaction=restart
conn <tunnel_name> auto=start mark = 50 type=tunnel fragmentation=no leftauth=psk left=<IP_ADDR_OF_LINUX_UPLINK_TO_CF> leftid=<IPSEC_ID_STRING_IN_RESULT_OF_PSK_KEY-GEN_VIA_CF_API> leftsubnet=0.0.0.0/0 right=<CF_ANYCAST_IP> rightid=<CF_ANYCAST_IP> rightsubnet=0.0.0.0/0 rightauth=psk ike=aes256gcm16-prfsha512-modp2048 esp=aes256gcm16-prfsha512-modp2048 replay_window=0
Dead Peer Detection (DPD)
In the above
ipsec.conf file in
conn %default section, setting
dpdaction=restart enables Dead Peer Detection (DPD) to actively check and re-establish IPsec tunnels in the event of communication timeouts. In addition,
closeaction=restart is set to actively re-establish the tunnels in the event that the remote peer (usually a Cloudflare Magic service) unexpectedly closes it.
If you do not prefer this behavior, set the above parameters to
none or remove them from the configuration file.
The
mark parameter is a user-assigned 32-bit value/mask that marks or labels the xfrm route policy used for the tunnel connection. In the example file, the value is
50. You can choose any number you prefer within the 0 to 2^32 range, for example, 77, 1234, 888, and etc. When creating the VTI interface for a given IPsec tunnel, the VTI key value must match the mark value for the corresponding IPsec tunnel defined in the
ipsec.conf file.
strongwan.conf file
Update the
/etc/strongswan.conf file with the configuration shown below. Specifically,
install_routes = no disables strongSwan from installing a default route in route table 220, which strongSwan automatically creates. strongSwan then forces a route lookup in route table 220 via an IP rule policy it automatically configures in the system. This default behavior of strongSwan often interferes with the user’s desired routing behavior and should be disabled as the user sees fit.
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon { load_modular = yes install_routes = no install_virtual_ip = no
plugins { include strongswan.d/charon/*.conf }
}
include strongswan.d/*.conf