User Tools

Site Tools


Strongswan IPsec Configuration

Linux Charon IPsec daemon can be configured through /etc/config/ipsec. This document is in an early alpha state.



zonestringnovpnFirewall zone. Has to match the defined firewall zone
listenlistyes''Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)


Contains tunnel definition.

enabledbooleanyes(none)Configuration is enabled or not
gatewayipaddryes(none)IP address or FQDN name of the tunnel remote endpoint.
exchange_modestringnomainPhase 1 negotiation (main, aggressive)
local_identifierstringno(none)local identifier for phase 1
remote_identifierstringno(none)remote identifier for phase 1
authentication_methodstringyes(none)Phase 1 authentication. Only allowed value ath the moment is psk
pre_shared_keystringno(none)The preshared key for the tunnel if authentication is psk
p1_proposallistyes(none)Name of phase 1 proposal (see below)
tunnellistyes(none)Name of phase 2 section (see below)


Definition of phase 1 proposals

encryption_algorithmstringyes(none)Phase 1 encryption method (aes128, aes192, aes256, 3des)
hash_alogrithmstringyes(none)Phase 1 hash alogrithm (md5,sha1)
dh_groupstringyes(none)Diffie-Hellman exponentiation (modp768, modep1024, …


Contains network defintion per tunnel.

local_subnetsubnetyes(none)Local network
remote_subnetsubnetyes(none)Remote network
local_natsubnetno(none)NAT range for tunnels with overlapping IP addresses
p2_proposalstringyes(none)link to phase 2 proposal


Definition of phase 2 proposal

pfs_groupstringyes(none)Comma separated list of of Diffie-Hellman exponentiations (you can omit this, when peer is Cisco ASA)
encryption_algorithmstringyes(none)Comma separaeted list of encryption algorithms (aes128, aes192, aes256, 3des)
authentication_algorithmstringyes(none)Comma separated list of authentications (md5, sha1)

Example 1 taken from the IPSec site to site howto.

config 'ipsec'
  option 'zone' 'vpn'

config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'gateway' ''
  option 'authentication_method' 'psk'
  option 'pre_shared_key' 'yourpasswordhere'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes128'
  option 'hash_algorithm' 'sha1'
  option 'dh_group' 'modp1024'

config 'tunnel' 'acme_lan'
  option 'local_subnet' ''
  option 'remote_subnet' ''
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' 'modp1024'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'sha1'

Windows Native VPN Client Proposals

The following table lists the phase 1 proposals offered by the Windows native VPN client (as tested with Windows 7)

ProposalEncryptionHashDH Group
doc/uci/ipsec.txt · Last modified: 2013/05/05 11:32 by birnenschnitzel