strongSwan: VPN configuration example

This page provides more detailed information for configuring a VPN in Skytap for use with a strongSwan endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as the sample configuration values to enter in the web interface of your strongSwan device.

For general information, see Creating a VPN connection to your Skytap account.

Contents

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter

Name

Name for your Skytap VPN

Example: CorporateVPN

Remote Peer IP

The public IP address of the strongSwan server.

This must match the value in the My identifier field of the strongSwan web interface.

Region

N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-West

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.

Example: 76.32.14.101

This value is entered Remote Gateway field of the strongSwan web interface.

Skytap subnet

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnet(s) defined below.

This must match the value in the Remote Network field of the strongSwan web interface.

Apply NAT for Connected Networks

NO

Topology

Route-based

Internet key exchange

IKEv2

Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm

sha1

Phase 1 pre-shared Key

[SHARED SECRET KEY]

This must match the value in the Pre-Shared Key field of the strongSwan web interface.

Phase 1 SA lifetime

28800

Phase 1 DH group

modp2048 (14)

Phase 2 encryption algorithm

aes 256

Phase 2 authentication algorithm

hmac_sha1

Phase 2 perfect forward secrecy (PFS)

NO

Phase 2 PFS group

N/A

Phase 2 SA lifetime

3600

SA policy level

unique

Specify maximum segment size

NO

Maximum segment size

N/A

Dead peer detection

ON

Included remote subnets

Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.

Example: 172.16.0.0/24

The subnet(s) should be based on the traffic allowed in the Local Network field of the strongSwan web interface.

Excluded remote subnets

N/A

Sample strongSwan device configuration file

These are the parameters to enter in the strongSwan device configuration file.

Replace [VARIABLES] with specific values from Skytap or your corporate policy

conn [CONNECTION NAME]
left=[LAN IP ADDRESS OF DATACENTER VPN SERVER PUBLIC IP ADDRESS ATTACHED TO THIS NIC]
leftid=[PUBLIC IP ADDRESS OF DATACENTER VPN SERVER]
leftsubnet=[DATACENTER SUBNET(s) TO BE REACHABLE THROUGH VPN TUNNEL]
right=[PUBLIC IP ADDRESS OF SKYAP VPN]
rightsubnet=[SKYAP SUBNET TO BE REACHABLE THROUGH VPN TUNNEL]
type=tunnel
authby=secret
keyexchange=ikev2
ike=aes256-sha1-modp2048 (IKE/ISAKMP SA encryption/authentication)
esp=aes256-sha1-modp2048 (Encapsulation encryption/authentication)
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
ikelifetime=28800s
lifetime=8h