search

/etc/swanctl/swanctl.conf

The swanctl.conf file located in /etc/swanctl/ is the primary configuration file for the swanctl command, which is part of the strongSwan VPN suite. This file is used to define the connection profiles, secrets, and other configurations necessary for managing IKEv2 and IPsec connections.

hashtag
Purpose

The swanctl.conf file is used to configure the swanctl command-line tool, which provides an interface for managing and monitoring IKEv2 connections established by the Charon daemon in strongSwan. This configuration file includes definitions for connections, pools, and secrets.

hashtag
Structure of swanctl.conf

The configuration file is written in a hierarchical, section-based format. The main sections typically include connections, secrets, and pools.

hashtag
Example swanctl.conf

Here is a basic example of a swanctl.conf file:

connections {
    myvpn {
        version = 2
        local_addrs = 192.0.2.1
        remote_addrs = 192.0.2.2

        local {
            auth = pubkey
            certs = serverCert.pem
            id = "CN=myvpnserver"
        }
        remote {
            auth = pubkey
            certs = clientCert.pem
            id = "CN=myvpnclient"
        }

        children {
            net {
                local_ts = 10.0.0.0/24
                remote_ts = 0.0.0.0/0
                dpd_action = restart
                esp_proposals = aes256-sha256-modp2048
            }
        }
    }
}

secrets {
    private {
        file = serverKey.pem
    }
    eap {
        id = "username"
        secret = "password"
    }
}

pools {
    mypool {
        addrs = 10.3.0.0/24
        dns = 10.3.0.1
    }
}

hashtag
Sections and Options

  1. connections:

    • myvpn: Name of the connection profile.

      • version: Specifies the IKE version (1 or 2).

      • local_addrs: Local IP address.

      • remote_addrs: Remote IP address.

      • local: Local authentication settings.

        • auth: Authentication method (e.g., pubkey, psk).

        • certs: Path to the certificate file.

        • id: Identity of the local peer.

      • remote: Remote authentication settings.

        • auth: Authentication method for the remote peer.

        • certs: Path to the certificate file of the remote peer.

        • id: Identity of the remote peer.

      • children: Defines child SAs.

        • net: Name of the child SA.

          • local_ts: Traffic selectors for local traffic.

          • remote_ts: Traffic selectors for remote traffic.

          • dpd_action: Dead Peer Detection (DPD) action.

          • esp_proposals: ESP encryption and integrity algorithms.

  2. secrets:

    • private: Specifies the private key.

      • file: Path to the private key file.

    • eap: Defines EAP (Extensible Authentication Protocol) secrets.

      • id: EAP identity (username).

      • secret: EAP secret (password).

  3. pools:

    • mypool: Name of the address pool.

      • addrs: Range of IP addresses.

      • dns: DNS server address.

hashtag
Managing the Configuration

hashtag
Loading Configuration

To apply the configuration in swanctl.conf, use the following command:

This command loads the connections, secrets, and pools defined in the configuration file.

hashtag
Monitoring and Managing Connections

  • List all connections:

  • Initiate a connection:

  • Terminate a connection:

  • Check the status of connections:

hashtag
Conclusion

The /etc/swanctl/swanctl.conf file is an essential component for configuring and managing IKEv2 and IPsec connections with the strongSwan VPN suite. By properly defining connections, authentication methods, and address pools, administrators can create secure VPN configurations tailored to their network requirements. The modular approach of this file allows for clear and organized management of VPN settings, ensuring a robust and secure VPN infrastructure.

Previous/etc/swanctl/Next/etc/sysctl.conf

Last updated