Migration from ipsec.conf to swanctl.conf¶

• Table of contents
• Migration from ipsec.conf to swanctl.conf
  • Basic structure of swanctl.conf
  • Migration Process
    • Automated
    • Manual
      • config setup
      • conn <name>
      • ca <name>
      • /etc/ipsec.secrets
  • Example

Basic structure of swanctl.conf¶

Basic swanctl.conf skeletonBasic swanctl.conf skeleton

connections {
        connection-name {
                local {
                }
                remote {
                }
                children {
                        child-name {
                        }
                }
        }
}
pools {
}
secrets {
}
authorities {
}

You can have several connection names within the connections{} section and several child names within a children{} section. Empty sections can be omitted with the exception of the children{} section and at least one child-name{} sub-section. No section name may have dots in it, e.g. replace vpn.mysystems.tld with vpn-mysystems-tld or vpn_mysystems_tld. Connections are loaded by the swanctl --load-conns command.

In the main section of any connection you define things global to that connection like IKE version, your own and the peer's IP addresses, or algorithm proposals, dead peer detection and rekeying parameters for the IKE_SA.

In the local{} and remote{} sections you primarily define things related to authenticating the peers of the IKE_SA:

• In the local{} section you define properties of your end of the connection, e.g. what authentication scheme, IDs and certificates to use. A lot of the left...= parameters have equivalents here.

• In the remote{} section you define things that describe the remote end of the connection (basically constraints about the peers), again e.g. the authentication scheme, IDs and certificates to use. A lot of the right...= parameters have equivalents here.

There may be additional local{} and remote{} sections having arbitrary suffixes e.g. "-2" in remote-2, which describe additional authentication rounds (RFC 4739 for IKEv2, XAuth for IKEv1). Authentication rounds are ordered by their position in the config file, however, this can be influenced with the round setting.

In the children{} section you primarily define the local and remote traffic selectors and generally everything that belongs to negotiating CHILD_SAs, such as algorithm proposals and rekeying parameters.

The pools{} section defines named pools that can be referenced from a connection-name{} section. They are used to assign virtual IP addresses (roughly equivalent to rightsourceip) and other attributes like DNS servers (equivalent to rightdns). Pools configured here are loaded by swanctl --load-pools.

The secrets{} section is the equivalent to ipsec.secrets and is loaded by swanctl --load-creds. Note that private keys stored in sub-directories of the swanctl directory are loaded automatically (if they are encrypted and no password is configured in the secrets{} section swanctl will prompt the user for it, unless --noprompt is used).

• connections.<conn>.remote<suffix>.auth=...
  or
• connections.<conn>.children.<child>.local_ts=...

<conn> designates a connection name, <suffix> an optional extension to the given section name and <child> a child name. The <suffix> can be omitted in many cases except when defining secondary authentication rounds or e.g. when defining multiple secrets of the same type. Written out the two settings above appear as:

The two settings above expanded from dot-notationThe two settings above expanded from dot-notation

connections {
        connection_name {
                ...
                remote {
                        auth=...
                }
                children {
                        child_name {
                                local_ts=...
                        }
                }
        }
}

There may also be an authorities {} section corresponding to the ca <name> sections in ipsec.conf. In this case <name> becomes a sub-section within authorities {}. They are loaded by the swanctl --load-authorities command.

Migration Process¶

Automated¶

Noel Kuntze wrote a python script for translating ipsec.conf to swanctl.conf.

Manual¶

To migrate from ipsec.conf to swanctl.conf begin with the basic structure shown above. In most simple cases every conn name becomes a connection-name. However, in particular if also was used, they might also be added simply as additional child-name{} section. Then look up the old parameters in the following table and fill in the equivalent settings. Defaults can be omitted, but take care: the defaults sometimes differ between ipsec.conf and strongswan.conf. Also note that swanctl.conf has several new options that are not available in ipsec.conf.

The connection-name and the child-name may be equal. This comes in conveniently when bringing up connections manually: the command ipsec up refers to a conn <name> while the corresponding swanctl --initiate --child refers to a child-name. Keeping both equal makes things a bit easier. But remember: no dots in names!

Example¶

More example configs may be found here.

IKEV2 Responder with Public Key Authentication and EAP-MSCHAP2IKEV2 Responder with Public Key Authentication and EAP-MSCHAP2

vpn.mysystems.tld : RSA vpn.mysystems.tld.key.pem
alice : EAP "totallysecret" 
bob : EAP "evenmoresecret" 

config setup
        uniqueids=never

conn vpn.mysystems.tld-rw-ikev2
        auto=add
        keyexchange=ikev2
        dpdaction=clear
        leftid=vpn.mysystems.tld
        leftauth=pubkey
        leftcert=vpn.mysystems.tld.cert.pem
        # iOS clients need this
        leftsendcert=always
        rightauth=eap-mschapv2
        eap_identity=%identity
        leftsubnet=192.168.181.0/24
        rightsourceip=172.29.2.0/24

connections {
        vpn_mysystems_tld-rw-ikev2 {
                unique=never
                version=2
                dpd_delay=30s # higher values might be better for clients that roam between networks
                # iOS clients need this
                send_cert=always
                pools=pool-rw-ikev2
                local {
                        id=vpn.mysystems.tld
                        certs=vpn.mysystems.tld.cert.pem
                        # Default setting omitted:
                        # auth=pubkey
                }
                remote {
                        auth=eap-mschapv2
                        eap_id=%any
                        # Default setting omitted:
                        # auth=pubkey
                }
                children {
                        vpn_mysystems_tld-rw-ikev2 {
                                local_ts=192.168.181.0/24
                                # Default settings omitted:
                                # start_action=none
                                # dpd_action=clear
                        }
                }
        }
}
pools {
        pool-rw-ikev2 {
                addrs=172.29.2.0/24
        }
}
secrets {
        # loaded automatically from /etc/swanctl/private/
        #private-vpn_mysystems_tld {
        #        file=vpn.mysystems.tld.key.pem
        #}

        eap-alice {
                id=alice
                secret="totallysecret" 
        }
        eap-bob {
                id=bob
                secret="evenmoresecret" 
        }
}