strongSwan: VPN configuration example

This page provides more detailed information for configuring a VPN in Kyndryl Cloud Uplift for use with a strongSwan endpoint on an external network. It contains the VPN configuration parameters to enter on the Kyndryl Cloud Uplift VPN page, as well as the sample configuration values to enter in the web interface of your strongSwan device.

For general information, see Creating a VPN connection to your Kyndryl Cloud Uplift account.

Contents

Kyndryl Cloud Uplift VPN configuration

Parameters to enter on your Kyndryl Cloud Uplift VPN page:

Parameter Name

Value to enter

Name

Name for your Kyndryl Cloud Uplift VPN

Example: CorporateVPN

Remote Peer IP

The public IP address of the strongSwan server.

This must match the value in the My identifier field of the strongSwan web interface.

Region

N/A. This is automatically populated when you select a public IP address for the Kyndryl Cloud Uplift peer IP field (see below).

Example: US-West

Kyndryl Cloud Uplift peer IP

An available public IP address in your Kyndryl Cloud Uplift account. Select a public IP address in the same region as the VMs you want to connect to.

Example: 76.32.14.101

This value is entered Remote Gateway field of the strongSwan web interface.

Kyndryl Cloud Uplift subnet

This is the range of VM IP addresses in Kyndryl Cloud Uplift that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.

This must match the value in the Remote Network field of the strongSwan web interface.

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Apply NAT for Connected Networks

NO

Topology

Route-based

Internet key exchange

IKEv2

Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm

sha1

Phase 1 pre-shared Key

[SHARED SECRET KEY]

This must match the value in the Pre-Shared Key field of the strongSwan web interface.

Phase 1 SA lifetime

28800

Phase 1 DH group

modp2048 (14)

Phase 2 encryption algorithm

aes 256

Phase 2 authentication algorithm

hmac_sha1

Phase 2 perfect forward secrecy (PFS)

NO

Phase 2 PFS group

N/A

Phase 2 SA lifetime

3600

SA policy level

unique

Specify maximum segment size

NO

Maximum segment size

N/A

Dead peer detection

ON

Included remote subnets

Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.

Example: 172.16.0.0/24

The subnets should be based on the traffic allowed in the Local Network field of the strongSwan web interface.

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Excluded remote subnets

N/A

Sample strongSwan device configuration file

These are the parameters to enter in the strongSwan device configuration file.

Replace [VARIABLES] with specific values from Kyndryl Cloud Uplift or your corporate policy

conn [CONNECTION NAME]
left=[LAN IP ADDRESS OF DATACENTER VPN SERVER PUBLIC IP ADDRESS ATTACHED TO THIS NIC]
leftid=[PUBLIC IP ADDRESS OF DATACENTER VPN SERVER]
leftsubnet=[DATACENTER SUBNET TO BE REACHABLE THROUGH VPN TUNNEL]
right=[PUBLIC IP ADDRESS OF SKYAP VPN]
rightsubnet=[SKYAP SUBNET TO BE REACHABLE THROUGH VPN TUNNEL]
type=tunnel
authby=secret
keyexchange=ikev2
ike=aes256-sha1-modp2048 (IKE/ISAKMP SA encryption/authentication)
esp=aes256-sha1-modp2048 (Encapsulation encryption/authentication)
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
ikelifetime=28800s
lifetime=8h