How to Set Up IPsec-based VPN with Strongswan on CentOS/RHEL 8

strongSwan is an open-source, multi-platform, modern and complete IPsec-based VPN solution for Linux that provides full support for Internet Key Exchange (both IKEv1 and IKEv2) to establish security associations (SA) between two peers. It is full-featured, modular by design and offers dozens of plugins that enhance the core functionality.

Related Article: How to Set Up IPsec-based VPN with Strongswan on Debian and Ubuntu

In this article, you will learn how to set up site-to-site IPsec VPN gateways using strongSwan on CentOS/RHEL 8 servers. This enables peers to authenticate each other using a strong pre-shared key (PSK). A site-to-site setup means each security gateway has a sub-net behind it.

Testing Environment

Do not forget to use your real-world IP addresses during the configurations while following the guide.

Site 1 Gateway
Public IP: 192.168.56.7
Private IP: 10.10.1.1/24
Private Subnet: 10.10.1.0/24
Site 2 Gateway
Public IP:  192.168.56.6
Private IP: 10.20.1.1/24
Private Subnet: 10.20.1.0/24

Step 1: Enabling Kernel IP Forwarding in CentOS 8

1. Start by enabling kernel IP forwarding functionality in /etc/sysctl.conf configuration file on both VPN gateways.

# vi /etc/sysctl.conf

Add these lines in the file.

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0 

2. After saving the changes in the file, run the following command to load the new kernel parameters in runtime.

# sysctl -p

3. Next, create a permanent static route in the file /etc/sysconfig/network-scripts/route-eth0 on both security gateways.

# vi /etc/sysconfig/network-scripts/route-eth0

Add the following line in the file.

#Site 1 Gateway
10.20.1.0/24  via 192.168.56.7

#Site 2 Gateway
10.10.1.0/24 via 192.168.56.6

4. Then restart the network manager to apply the new changes.

# systemctl restart NetworkManager

Step 2: Installing strongSwan in CentOS 8

5. The strongswan package is provided in the EPEL repository. To install it, you need to enable the EPEL repository, then install strongwan on both security gateways.

# dnf install epel-release
# dnf install strongswan

6. To check the version of strongswan installed on both gateways, run the following command.

# strongswan version

7. Next, start the strongswan service and enable it to automatically start at system boot. Then verify the status on both security gateways.

# systemctl start strongswan 
# systemctl enable strongswan
# systemctl status strongswan

Note: The latest version of strongswan in CentOS/REHL 8 comes with support for both swanctl (a new, portable command-line utility introduced with strongSwan 5.2.0, used to configure, control and monitor the IKE daemon Charon using the vici plugin) and starter (or ipsec) utility using the deprecated stroke plugin.

8. The main configuration directory is /etc/strongswan/ which contains configuration files for both plugins:

# ls /etc/strongswan/
Strongswan Configuration Structure
Strongswan Configuration Structure

For this guide, we will use IPsec utility which is invoked using the strongswan command and the stroke interface. So we will use the following configuration files:

  • /etc/strongswan/ipsec.conf – configuration file for the strongSwan IPsec subsystem.
  • /etc/strongswan/ipsec.secrets – secrets file.

Step 3: Configuring Security Gateways

9. In this step, you need to configure the connection profiles on each security gateways for each site using the /etc/strongswan/ipsec.conf strongswan configuration file.

Configuring Site 1 Connection Profile

# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig
# vi /etc/strongswan/ipsec.conf

Copy and paste the following configuration in the file.

config setup
        charondebug="all"
        uniqueids=yes
conn ateway1-to-gateway2
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=192.168.56.7
        leftsubnet=10.10.1.1/24
        right=192.168.56.6
        rightsubnet=10.20.1.1/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Configuring Site 2 Connection Profile

# cp /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.orig
# vi /etc/strongswan/ipsec.conf

Copy and paste the following configuration in the file:

config setup
        charondebug="all"
        uniqueids=yes
conn 2gateway-to-gateway1
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=192.168.56.6
        leftsubnet=10.20.1.1/24
        right=192.168.56.7
        rightsubnet=10.10.1.1/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Let’s briefly describe each of the configuration parameters above:

  • config setup – defines the general configuration information for IPSec which applies to all connections.
  • charondebug – specifies how much Charon debugging output should be logged.
  • uniqueids – defines whether a particular participant ID should be kept unique.
  • conn gateway1-to-gateway2 – used to set the connection name.
  • type – defines connection type.
  • Auto – used to declare how to handle connection when IPSec is started or restarted.
  • keyexchange – declares the version of the IKE protocol to use.
  • authby – specifies how peers should authenticate each other.
  • left – declares the IP address of the left participant’s public-network interface.
  • leftsubnet – declares the private subnet behind the left participant.
  • right – declares the IP address of the right participant’s public-network interface.
  • rightsubnet – declares the private subnet behind the left participant.
  • ike – used to declare a list of IKE/ISAKMP SA encryption/authentication algorithms to be used. Note that this can be a comma-separated list.
  • esp – specifies a list of ESP encryption/authentication algorithms to be used for the connection.
  • aggressive – declares whether to use Aggressive or Main Mode.
  • keyingtries – declares the number of attempts that should be made to negotiate a connection.
  • ikelifetime – specifies how long the keying channel of a connection should last before being renegotiated.
  • lifetime – specifies how long a particular instance of a connection should last, from successful negotiation to expiry.
  • dpddelay – declares the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
  • dpdtimeout – used to declare the timeout interval, after which all connections to a peer are deleted in case of inactivity.
  • dpdaction – specifies how to use the Dead Peer Detection(DPD) protocol to manage the connection.

You can find a description of all configuration parameters for the strongSwan IPsec subsystem by reading the ipsec.conf man page.

# man ipsec.conf

Step 4: Configuring PSK for Peer-to-Peer Authentication

10. Next, you need to generate a strong PSK to be used by the peers for authentication as follows.

# head -c 24 /dev/urandom | base64
Generate PSK Key
Generate PSK Key

11. Add the PSK in the /etc/strongswan/ipsec.conf file on both security gateways.

# vi /etc/strongswan/ipsec.secrets

Enter the following line in the file.

#Site 1 Gateway
192.168.56.7  192.168.56.6 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"

#Site 1 Gateway
192.168.56.6  192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"

12. Then start the strongsan service and check the status of connections.

# systemctl restart strongswan
# strongswan status
Check Strongswan Connections
Check Strongswan Connections

13. Test if you can access the private sub-nets from either security gateways by running a ping command.

# ping 10.20.1.1
# ping 10.10.1.1
Ping Security Gateways
Ping Security Gateways

14. Last but not least, to learn more strongswan commands to manually bring up/down connections and more, see the strongswan help page.

# strongswan --help

That’s all for now! To share your thoughts with us or ask questions, reach us via the feedback form below. And to learn more about the new swanctl utility and the new more flexible configuration structure, see the strongSwan User Documentation.

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

5 thoughts on “How to Set Up IPsec-based VPN with Strongswan on CentOS/RHEL 8”

  1. Hi Guys,

    Thanks for the step by step configuration.

    I’ve one issue, I have a site 2 site VPN (strongswan–&–Cisco ASA), after a period of ideal time the VPN got disconnected, and to bring it back I need to restart strongswan.

    is there is any way to make the VPN always up?

    Reply
    • @Naji

      There should be something wrong with your configuration, causing the timeout. If well configured, the VPN should always be up. Try to check the logs for any relevant error messages.

      Reply
  2. Hi, I have followed the complete way you have shared here. But still, I stuck on connecting mode. Can you help me with this?

    Site 1 Gateway
    Public IP: 72.21.25.196
    Private IP: 192.168.0.101
    Private Subnet: 10.10.1.0/24
    Site 2 Gateway
    Public IP: 149.20.188.62
    Private IP: 10.0.2.15
    Private Subnet: 10.20.1.0/24

    config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    charondebug=”all”
    uniqueids=yes

    # Add connections here.
    conn ateway1-to-gateway2
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=72.21.25.196
    leftsubnet=192.168.0.101/24
    right=149.20.188.62
    rightsubnet=10.0.2.15/24
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=86400s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

    config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    charondebug=”all”
    uniqueids=yes

    # Add connections here.
    conn 2gateway-to-gateway1
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=149.20.188.62
    leftsubnet=10.0.2.15/24
    right=72.21.25.196
    rightsubnet=192.168.0.101/24
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=86400s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

    Let me know if anything is wrong here. It will be a great help for me.

    Reply
  3. Hello, I think in step 12 you must have write

    #Site 2 Gateway
    192.168.56.6  192.168.56.7 : PSK "0GE0dIEA0IOSYS2o22wYdicj/lN4WoCL"
    

    and the phrase shared, it could be any phrase

    Reply

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.