[strongSwan] How to set some strongswan parameters for all connections at once?

Marian Kechlibar marian.kechlibar at circletech.net
Thu Jan 11 12:24:05 CET 2018

OK, so I set up an experimental VPN and started playing with it, as not
to break the production VPN.

CentOS uses swanctl as a lightweight controller, so ipsec.conf is not
really loaded.

I was able to set up DPD, Proposals etc. on a user-by-user basis, but
not globally.

Is there any way how to set something for all connections at once when
using swanctl?

Best regards

Marian Kechlibar
Prague, CZ

Dne 11.1.2018 v 9:54 Marian Kechlibar napsal(a):
> Hi all,
> I would like to ask a question with regard to StrongSwan server
> configuration.
> We are running a VPN server based on StrongSwan 5.5.3 on CentOS 7. The
> settings are as follows:
> * ipsec.conf is completely empty, except for comments (the default state
> of the file after a fresh installation),
> * strongswan.conf includes all the charon confs, which are left in the
> default state as well,
> * swanctl.conf includes config files and pool files of all the
> individual users, where local_addrs, local_sa, remote_sa, children etc.
> is determined.
> Now I would like to set up the following parameters of the system:
> * Dead Peer Detection
> * Cipher Suites
> * Enforcement of IKEv2 only
> * Lifetime
> And I would like for those parameters to apply to all the users of the
> system at once.
> How do I do it? Do I add a conn block into the ipsec.conf?
> And how about making exceptions for individual users? Let us say that I
> do not want Dead Peer Detection for user X. Can I turn it off in the
> appropriate user's config?
> I studied the documentation online, but it is not entirely clear to me
> and I am afraid of ruining a setup of a functional VPN by trial and error.
> Many thanks in advance.
> Marian Kechlibar
> Prague, CZ

More information about the Users mailing list