> For the complete documentation index, see [llms.txt](https://linux-tutorial-cli.gitbook.io/linux-cli-tutorial/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://linux-tutorial-cli.gitbook.io/linux-cli-tutorial/txt-files/file-systems-cocepts/lpic3-303/etc-swanctl-swanctl.conf.md).

# /etc/swanctl/swanctl.conf

The `swanctl.conf` file located in `/etc/swanctl/` is the primary configuration file for the `swanctl` command, which is part of the strongSwan VPN suite. This file is used to define the connection profiles, secrets, and other configurations necessary for managing IKEv2 and IPsec connections.

#### Purpose

The `swanctl.conf` file is used to configure the `swanctl` command-line tool, which provides an interface for managing and monitoring IKEv2 connections established by the Charon daemon in strongSwan. This configuration file includes definitions for connections, pools, and secrets.

### Structure of `swanctl.conf`

The configuration file is written in a hierarchical, section-based format. The main sections typically include `connections`, `secrets`, and `pools`.

### Example `swanctl.conf`

Here is a basic example of a `swanctl.conf` file:

```ini
connections {
    myvpn {
        version = 2
        local_addrs = 192.0.2.1
        remote_addrs = 192.0.2.2

        local {
            auth = pubkey
            certs = serverCert.pem
            id = "CN=myvpnserver"
        }
        remote {
            auth = pubkey
            certs = clientCert.pem
            id = "CN=myvpnclient"
        }

        children {
            net {
                local_ts = 10.0.0.0/24
                remote_ts = 0.0.0.0/0
                dpd_action = restart
                esp_proposals = aes256-sha256-modp2048
            }
        }
    }
}

secrets {
    private {
        file = serverKey.pem
    }
    eap {
        id = "username"
        secret = "password"
    }
}

pools {
    mypool {
        addrs = 10.3.0.0/24
        dns = 10.3.0.1
    }
}
```

### Sections and Options

1. **connections**:
   * **myvpn**: Name of the connection profile.
     * **version**: Specifies the IKE version (1 or 2).
     * **local\_addrs**: Local IP address.
     * **remote\_addrs**: Remote IP address.
     * **local**: Local authentication settings.
       * **auth**: Authentication method (e.g., `pubkey`, `psk`).
       * **certs**: Path to the certificate file.
       * **id**: Identity of the local peer.
     * **remote**: Remote authentication settings.
       * **auth**: Authentication method for the remote peer.
       * **certs**: Path to the certificate file of the remote peer.
       * **id**: Identity of the remote peer.
     * **children**: Defines child SAs.
       * **net**: Name of the child SA.
         * **local\_ts**: Traffic selectors for local traffic.
         * **remote\_ts**: Traffic selectors for remote traffic.
         * **dpd\_action**: Dead Peer Detection (DPD) action.
         * **esp\_proposals**: ESP encryption and integrity algorithms.
2. **secrets**:
   * **private**: Specifies the private key.
     * **file**: Path to the private key file.
   * **eap**: Defines EAP (Extensible Authentication Protocol) secrets.
     * **id**: EAP identity (username).
     * **secret**: EAP secret (password).
3. **pools**:
   * **mypool**: Name of the address pool.
     * **addrs**: Range of IP addresses.
     * **dns**: DNS server address.

### Managing the Configuration

#### Loading Configuration

To apply the configuration in `swanctl.conf`, use the following command:

```bash
sudo swanctl --load-all
```

This command loads the connections, secrets, and pools defined in the configuration file.

#### Monitoring and Managing Connections

* **List all connections**:

  ```bash
  sudo swanctl --list-conns
  ```
* **Initiate a connection**:

  ```bash
  sudo swanctl --initiate --child myvpn
  ```
* **Terminate a connection**:

  ```bash
  sudo swanctl --terminate --child myvpn
  ```
* **Check the status of connections**:

  ```bash
  sudo swanctl --list-sas
  ```

### Conclusion

The `/etc/swanctl/swanctl.conf` file is an essential component for configuring and managing IKEv2 and IPsec connections with the strongSwan VPN suite. By properly defining connections, authentication methods, and address pools, administrators can create secure VPN configurations tailored to their network requirements. The modular approach of this file allows for clear and organized management of VPN settings, ensuring a robust and secure VPN infrastructure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://linux-tutorial-cli.gitbook.io/linux-cli-tutorial/txt-files/file-systems-cocepts/lpic3-303/etc-swanctl-swanctl.conf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.