[strongSwan] How to set some strongswan parameters for all connections at once?

[Marian Kechlibar]

Hi all,

I would like to ask a question with regard to StrongSwan server
configuration.

We are running a VPN server based on StrongSwan 5.5.3 on CentOS 7. The
settings are as follows:

* ipsec.conf is completely empty, except for comments (the default state
of the file after a fresh installation),
* strongswan.conf includes all the charon confs, which are left in the
default state as well,
* swanctl.conf includes config files and pool files of all the
individual users, where local_addrs, local_sa, remote_sa, children etc.
is determined.

Now I would like to set up the following parameters of the system:

* Dead Peer Detection
* Cipher Suites
* Enforcement of IKEv2 only
* Lifetime

And I would like for those parameters to apply to all the users of the
system at once.

How do I do it? Do I add a conn block into the ipsec.conf?

And how about making exceptions for individual users? Let us say that I
do not want Dead Peer Detection for user X. Can I turn it off in the
appropriate user's config?

I studied the documentation online, but it is not entirely clear to me
and I am afraid of ruining a setup of a functional VPN by trial and error.

Many thanks in advance.

Marian Kechlibar
Prague, CZ