[strongSwan] How to set some strongswan parameters for all connections at once?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:26:04 CET 2018


CentOS also has `ipsec`. They just renamed it to `strongswan`, so it does not conflict with libreswan's `ipsec` tool for controling their pluto daemon.

You can use the file inclusion mechanism to load text from other files into parts of the configuration. The man page mentions how to do that.

Be aware that you can not change conns based on the eap_identity.

Kind regards

Noel

On 11.01.2018 12:24, Marian Kechlibar wrote:
> OK, so I set up an experimental VPN and started playing with it, as not
> to break the production VPN.
>
> CentOS uses swanctl as a lightweight controller, so ipsec.conf is not
> really loaded.
>
> I was able to set up DPD, Proposals etc. on a user-by-user basis, but
> not globally.
>
> Is there any way how to set something for all connections at once when
> using swanctl?
>
> Best regards
>
> Marian Kechlibar
> Prague, CZ
>
> Dne 11.1.2018 v 9:54 Marian Kechlibar napsal(a):
>> Hi all,
>>
>> I would like to ask a question with regard to StrongSwan server
>> configuration.
>>
>> We are running a VPN server based on StrongSwan 5.5.3 on CentOS 7. The
>> settings are as follows:
>>
>> * ipsec.conf is completely empty, except for comments (the default state
>> of the file after a fresh installation),
>> * strongswan.conf includes all the charon confs, which are left in the
>> default state as well,
>> * swanctl.conf includes config files and pool files of all the
>> individual users, where local_addrs, local_sa, remote_sa, children etc.
>> is determined.
>>
>> Now I would like to set up the following parameters of the system:
>>
>> * Dead Peer Detection
>> * Cipher Suites
>> * Enforcement of IKEv2 only
>> * Lifetime
>>
>> And I would like for those parameters to apply to all the users of the
>> system at once.
>>
>> How do I do it? Do I add a conn block into the ipsec.conf?
>>
>> And how about making exceptions for individual users? Let us say that I
>> do not want Dead Peer Detection for user X. Can I turn it off in the
>> appropriate user's config?
>>
>> I studied the documentation online, but it is not entirely clear to me
>> and I am afraid of ruining a setup of a functional VPN by trial and error.
>>
>> Many thanks in advance.
>>
>> Marian Kechlibar
>> Prague, CZ
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/a18a5246/attachment.sig>


More information about the Users mailing list