strongSwan: VPN configuration example
This page provides more detailed information for configuring a VPN in Skytap for use with a strongSwan endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as the sample configuration values to enter in the web interface of your strongSwan device.
For general information, see Creating a VPN connection to your Skytap account.
Contents
Skytap VPN configuration
Parameters to enter on your Skytap VPN page:
Parameter Name
Value to enter
Name
Name for your Skytap VPN
Example: CorporateVPN
Remote Peer IP
The public IP address of the strongSwan server.
This must match the value in the My identifier field of the strongSwan web interface.
Region
N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).
Example: US-West
Skytap peer IP
An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.
Example: 76.32.14.101
This value is entered Remote Gateway field of the strongSwan web interface.
Skytap subnet
This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.
This must match the value in the Remote Network field of the strongSwan web interface.
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Apply NAT for Connected Networks
NO
Topology
Route-based
Internet key exchange
IKEv2
Phase 1 Encryption Algorithm
aes 256
Phase 1 Hash Algorithm
sha1
Phase 1 pre-shared Key
[SHARED SECRET KEY]
This must match the value in the Pre-Shared Key field of the strongSwan web interface.
Phase 1 SA lifetime
28800
Phase 1 DH group
modp2048 (14)
Phase 2 encryption algorithm
aes 256
Phase 2 authentication algorithm
hmac_sha1
Phase 2 perfect forward secrecy (PFS)
NO
Phase 2 PFS group
N/A
Phase 2 SA lifetime
3600
SA policy level
unique
Specify maximum segment size
NO
Maximum segment size
N/A
Dead peer detection
ON
Included remote subnets
Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.
Example: 172.16.0.0/24
The subnets should be based on the traffic allowed in the Local Network field of the strongSwan web interface.
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Excluded remote subnets
N/A
Sample strongSwan device configuration file
These are the parameters to enter in the strongSwan device configuration file.
Replace [VARIABLES] with specific values from Skytap or your corporate policy
conn [CONNECTION NAME]
left=[LAN IP ADDRESS OF DATACENTER VPN SERVER PUBLIC IP ADDRESS ATTACHED TO THIS NIC]
leftid=[PUBLIC IP ADDRESS OF DATACENTER VPN SERVER]
leftsubnet=[DATACENTER SUBNET TO BE REACHABLE THROUGH VPN TUNNEL]
right=[PUBLIC IP ADDRESS OF SKYAP VPN]
rightsubnet=[SKYAP SUBNET TO BE REACHABLE THROUGH VPN TUNNEL]
type=tunnel
authby=secret
keyexchange=ikev2
ike=aes256-sha1-modp2048 (IKE/ISAKMP SA encryption/authentication)
esp=aes256-sha1-modp2048 (Encapsulation encryption/authentication)
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
ikelifetime=28800s
lifetime=8h