strongSwan: VPN configuration example
This page provides more detailed information for configuring a VPN in Skytap for use with a strongSwan endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as the sample configuration values to enter in the web interface of your strongSwan device.
For general information, see Creating a VPN connection to your Skytap account.
Skytap VPN configuration
Parameters to enter on your Skytap VPN page:
Value to enter
Name for your Skytap VPN
Remote Peer IP
The public IP address of the strongSwan server.
This must match the value in the My identifier field of the strongSwan web interface.
N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).
Skytap peer IP
An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.
This value is entered Remote Gateway field of the strongSwan web interface.
This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnet(s) defined below.
This must match the value in the Remote Network field of the strongSwan web interface.
Apply NAT for Connected Networks
Internet key exchange
Phase 1 Encryption Algorithm
Phase 1 Hash Algorithm
Phase 1 pre-shared Key
[SHARED SECRET KEY]
This must match the value in the Pre-Shared Key field of the strongSwan web interface.
Phase 1 SA lifetime
Phase 1 DH group
Phase 2 encryption algorithm
Phase 2 authentication algorithm
Phase 2 perfect forward secrecy (PFS)
Phase 2 PFS group
Phase 2 SA lifetime
SA policy level
Specify maximum segment size
Maximum segment size
Dead peer detection
Included remote subnets
Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.
The subnet(s) should be based on the traffic allowed in the Local Network field of the strongSwan web interface.
Excluded remote subnets
Sample strongSwan device configuration file
These are the parameters to enter in the strongSwan device configuration file.
[VARIABLES] with specific values from Skytap or your corporate policy
conn [CONNECTION NAME] left=[LAN IP ADDRESS OF DATACENTER VPN SERVER PUBLIC IP ADDRESS ATTACHED TO THIS NIC] leftid=[PUBLIC IP ADDRESS OF DATACENTER VPN SERVER] leftsubnet=[DATACENTER SUBNET(s) TO BE REACHABLE THROUGH VPN TUNNEL] right=[PUBLIC IP ADDRESS OF SKYAP VPN] rightsubnet=[SKYAP SUBNET TO BE REACHABLE THROUGH VPN TUNNEL] type=tunnel authby=secret keyexchange=ikev2 ike=aes256-sha1-modp2048 (IKE/ISAKMP SA encryption/authentication) esp=aes256-sha1-modp2048 (Encapsulation encryption/authentication) dpdaction=restart dpddelay=30s dpdtimeout=120s ikelifetime=28800s lifetime=8h