Setting up IPsec tunnel using Strongswan – CentOS6

Setting up an IPsec tunnel using Strongswan in Centos6, and using a preshared key to authenticate.

First step is actually installing Strongswan onto your device, we’ll be using yum to do this.

yum install strongswan

And when it asks you if you’re sure press y.
Change your directory to:

cd /etc/strongswan/ipsec.d/

In Ubuntu this will be /etc/strongswan.d/ipsec.d

Then create a new file in the text editor of your choice, in this case I’m using vi because it’s what I have installed.

vi testtun.conf

This is the file where we put all the ipsec details in. Stuff in bold needs to be changed to what your network will be, stuff in italics is comments explaining what some of the attributes are, this doesn’t need to be included.
I’ve put in example placeholders: sometimes you’ll want auto to be add instead.

conn %default
     ikelifetime=86400s
     keylife=86400s
     rekeymargin=3m
     keyingtries=3
     keyexchange=ikev2
     mobike=no
     ike=aes256gcm16-sha512-modp4096
     esp=aes256gcm16-sha512-modp8192
     authby=psk
 conn net-net
     left=XXX.XXX.XXX.XXX #This is the public IP on the local side
     leftid=XXX.XXX.XXX.XXX #I usually make this the same as the public IP
     leftsubnet=10.123.234.0/24 #The local internal subnet
     leftauth=psk
     leftfirewall=yes
     right=XXX.XXX.XXX.XXX #This is the public IP of the remote site
     rightid=XXX.XXX.XXX.XXX #Again I tend to use the public IP
     rightsubnet=10.234.123.0/23 #The internal subnet of the remote site
     rightauth=psk
     type=tunnel
     auto=start
     dpdaction=restart

Edit the /etc/strongswan/ipsec.secrets file to include the remote IP and a privately shared key. Repeat on both sides.

/etc/ipsec.secrets - strongSwan IPsec secrets file
 XXX.XXX.XXX.XXX : PSK "dp3lna6cSe2hLoNlHdMe0rb5x6c"
 : RSA myKey.der

In the /etc/strongswan/ipsec.conf file put this line.

include /etc/strongswan/ipsec.d/testtun.conf

Useful commands for seeing whether the routes have gone in properly, and what the connection is up to. By default there will also be logs displaying to messages.

ip route list table 220

swanctl --list-sas

If there are problems connecting you’ll probably have to tweak your tunnel config file.

If it’s appearing in routes and the connection is forming properly I’d suggest taking a look at your firewall logs. Probably where it’s getting caught up.