Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up a site-to-site IPsec VPN tunnel between two gateways using the swanctl command-line tool and the modern VICI configuration interface.

Prerequisites

  • Linux kernel 4.5 or later (with esp4, esp6, and xfrm_user modules available)
  • strongSwan installed with swanctl and the charon daemon running
  • X.509 certificates issued by a common CA for both gateways
Kernel modules (esp4, esp6, xfrm_user) are loaded automatically when needed on most distributions. Run modprobe xfrm_user to load manually if required.

Network topology

In this example, gateways moon and sun connect two private subnets through an encrypted IPsec tunnel: 
10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
  moon-net          moon                 sun           sun-net

Configure gateway moon

Place the following credential files on moon: 
/etc/swanctl/x509ca/strongswanCert.pem   # CA certificate
/etc/swanctl/x509/moonCert.pem           # moon's end-entity certificate
/etc/swanctl/private/moonKey.pem         # moon's private key
Create /etc/swanctl/swanctl.conf on moon:
/etc/swanctl/swanctl.conf
connections {
    net-net {
        remote_addrs = 192.168.0.2

        local {
            auth = pubkey
            certs = moonCert.pem
        }
        remote {
            auth = pubkey
            id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
        }
        children {
            net-net {
                local_ts  = 10.1.0.0/16
                remote_ts = 10.2.0.0/16
                start_action = trap
            }
        }
    }
}

Configure gateway sun

Place the following credential files on sun: 
/etc/swanctl/x509ca/strongswanCert.pem   # CA certificate
/etc/swanctl/x509/sunCert.pem            # sun's end-entity certificate
/etc/swanctl/private/sunKey.pem          # sun's private key
Create /etc/swanctl/swanctl.conf on sun:
/etc/swanctl/swanctl.conf
connections {
    net-net {
        remote_addrs = 192.168.0.1

        local {
            auth = pubkey
            certs = sunCert.pem
        }
        remote {
            auth = pubkey
            id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
        }
        children {
            net-net {
                local_ts  = 10.2.0.0/16
                remote_ts = 10.1.0.0/16
                start_action = trap
            }
        }
    }
}
The identities (id) are the Subject Distinguished Names from the peer’s end-entity certificate. The start_action = trap setting installs a policy that automatically initiates the tunnel when the first matching plaintext packet is seen.

Bring up the tunnel

Run the following commands on both gateways after placing the configuration files.
1

Load credentials

Load certificates, CA certificates, and private keys into the charon daemon:
swanctl --load-creds
Expected output confirms the number of loaded certificates and keys:
loaded certificate from '/etc/swanctl/x509/moonCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded private key from '/etc/swanctl/private/moonKey.pem'
2

Load connections

Load connection definitions from swanctl.conf:
swanctl --load-conns
Expected output:
loaded connection 'net-net'
3

Verify the tunnel

Send traffic from the moon-net subnet toward sun-net to trigger the trap policy and establish the tunnel. Then verify the active Security Associations:
swanctl --list-sas
A successful tunnel shows an established IKE SA and a CHILD SA with the negotiated traffic selectors:
net-net: #1, ESTABLISHED, IKEv2, ...
  net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    local  10.1.0.0/16
    remote 10.2.0.0/16

Directory structure reference

The default swanctl configuration directory layout: 
/etc/swanctl/
├── swanctl.conf          # Connection and pool definitions
├── x509ca/               # Trusted CA certificates (PEM or DER)
├── x509/                 # End-entity certificates (PEM or DER)
├── private/              # Private keys (PEM or DER)
├── x509crl/              # Certificate revocation lists
└── pkcs12/               # PKCS#12 bundles

Next steps

VPN scenarios

Explore host-to-host, roadwarrior, and EAP authentication scenarios

PKI & certificates

Generate your own CA, issue certificates, and manage CRLs with the pki tool

swanctl commands

Full reference for all swanctl subcommands and options

swanctl.conf options

Complete reference for connection, pool, and secret configuration