[strongSwan] How to set some strongswan parameters for all connections at once?
Marian Kechlibar
marian.kechlibar at circletech.net
Thu Jan 11 12:24:05 CET 2018
OK, so I set up an experimental VPN and started playing with it, as not
to break the production VPN.
CentOS uses swanctl as a lightweight controller, so ipsec.conf is not
really loaded.
I was able to set up DPD, Proposals etc. on a user-by-user basis, but
not globally.
Is there any way how to set something for all connections at once when
using swanctl?
Best regards
Marian Kechlibar
Prague, CZ
Dne 11.1.2018 v 9:54 Marian Kechlibar napsal(a):
> Hi all,
>
> I would like to ask a question with regard to StrongSwan server
> configuration.
>
> We are running a VPN server based on StrongSwan 5.5.3 on CentOS 7. The
> settings are as follows:
>
> * ipsec.conf is completely empty, except for comments (the default state
> of the file after a fresh installation),
> * strongswan.conf includes all the charon confs, which are left in the
> default state as well,
> * swanctl.conf includes config files and pool files of all the
> individual users, where local_addrs, local_sa, remote_sa, children etc.
> is determined.
>
> Now I would like to set up the following parameters of the system:
>
> * Dead Peer Detection
> * Cipher Suites
> * Enforcement of IKEv2 only
> * Lifetime
>
> And I would like for those parameters to apply to all the users of the
> system at once.
>
> How do I do it? Do I add a conn block into the ipsec.conf?
>
> And how about making exceptions for individual users? Let us say that I
> do not want Dead Peer Detection for user X. Can I turn it off in the
> appropriate user's config?
>
> I studied the documentation online, but it is not entirely clear to me
> and I am afraid of ruining a setup of a functional VPN by trial and error.
>
> Many thanks in advance.
>
> Marian Kechlibar
> Prague, CZ
>
More information about the Users
mailing list