User Tools

Site Tools


Strongswan IPsec Configuration

Linux Charon IPsec daemon can be configured through /etc/config/ipsec.



zonestringnovpnFirewall zone. Has to match the defined firewall zone
listenlistyes''Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)
debugstringno0Trace level. Logs are written to /var/log/charon.log


Contains tunnel definition.

enabledbooleanyes(none)Configuration is enabled or not
gatewayipaddryes(none)IP address or FQDN name of the tunnel remote endpoint.
exchange_modestringnomainPhase 1 negotiation (main, aggressive)
local_identifierstringno(none)local identifier for phase 1
remote_identifierstringno(none)remote identifier for phase 1
authentication_methodstringyes(none)Phase 1 authentication. Only allowed value ath the moment is psk
pre_shared_keystringno(none)The preshared key for the tunnel if authentication is psk
p1_proposallistyes(none)Name of phase 1 proposal (see below)
tunnellistyes(none)Name of phase 2 section (see below)


Definition of phase 1 proposals. Derived from stronSwan cipher suites

encryption_algorithmstringyes(none)Phase 1 encryption method (aes128, aes192, aes256, 3des)
hash_alogrithmstringyes(none)Phase 1 hash alogrithm (md5,sha1)
dh_groupstringyes(none)Diffie-Hellman exponentiation (modp768, modp1024, …


Contains network defintion per tunnel.

local_subnetsubnetyes(none)Local network
remote_subnetsubnetyes(none)Remote network
local_natsubnetno(none)NAT range for tunnels with overlapping IP addresses
p2_proposalstringyes(none)link to phase 2 proposal


Definition of phase 2 proposal. Derived from stronSwan cipher suites

pfs_groupstringyes(none)Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
encryption_algorithmstringyes(none)Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)
authentication_algorithmstringyes(none)Comma separated list of authentications (md5, sha1)

Example 1 taken from the IPSec site to site howto.

config 'ipsec'
  option 'zone' 'vpn'

config 'remote' 'acme'
  option 'enabled' '1'
  option 'gateway' ''
  option 'authentication_method' 'psk'
  option 'pre_shared_key' 'yourpasswordhere'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'

config 'tunnel' 'acme_lan'
  option 'local_subnet' ''
  option 'remote_subnet' ''
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' 'modp1024'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'sha1'

Windows Native VPN Client Proposals

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

ProposalEncryptionHashDH Group
doc/uci/ipsec.txt · Last modified: 2015/04/17 16:27 by folke