Convert from old to new Strongswan configuration format

[null-coffee]

Branch

Master

Guide

How to self-host a hardened strongSwan IKEv2/IPsec VPN server for iOS and macOS

Operating system and version

N/A

Description

As Strongswan deprecated the Stroke plugin along with 'ipsec.conf' and friends, might I suggest converting your configuration over to the new format?

I took a shot at this while following your guide as a base:

VPN Client/Server Connection Configuration lives under the swanctl directory e.g. /etc/swanctl/conf.d/.conf

connections {

        # A connection named 'ikev2'
        ikev2 {

                version = 2
                fragmentation = yes
                encap = yes
                proposals = aes256gcm16-prfsha512-ecp384
                dpd_delay = 300s # (see dpd_action below)
                rekey_time = 0
                reauth_time = 0

                local_addrs = 0.0.0.0/0 # left=%any
                send_cert = always

                remote_addrs = 0.0.0.0/0 # right=%any
                send_certreq = no

                pools = dhcp # rightdns=, rightsourceip=%dhcp

                # Local authentication rounds ( 'left=' )
                local {
                        id = vpn-server.com
                        certs = server.crt
                }

                # Remote authentication rounds ( 'right=' )
                remote {
                        id = %any
                        auth = eap-tls
                        eap_id = %any
                }

                children {

                        # A CHILD_SA subsection, named 'ikev2-child'
                        ikev2-child {
                                start_action = none
                                ipcomp = no
                                mode = tunnel
                                esp_proposals = aes256gcm16-ecp384

                                dpd_action = clear # dpdaction=clear (note: dpd_delay must not equal 0s)
                                life_time = 0
                                life_bytes = 0
                                life_packets = 0

                                local_ts = 0.0.0.0/0 # leftsubnet=
                        }
                }
        }
}

# Secrets (analogous to 'ipsec.secrets')
secrets {
        # As RSA private keys, are automatically loaded from defined directories
        # we do not need to place a ': RSA server.key' definition here.
}

# IP Address Pools, can also define attributes such as DNS here
pools {
        # IP Information issued by DHCP plugin
}

The server certificate would be placed in the swanctl 'x509' directory where it will be automatically loaded The server certificate private key would be placed in the swanctl 'private' directory, where it will be automatically loaded

Replace the 'stroke' plugin with 'vici'

The older charon debug section seems to be approximately equal to the charon-logging.conf but the documentation wasn't very clear to me on that.

[sunknudsen]

Hey @null-coffee, migrating to the new format would be amazing.

That being said, I don't feel I know enough about it to author these changes.

The current version of the guide went through a thorough peer review process.

If you feel confident about the migration, I am open to a PR which we would then need to have peer reviewed.

[null-coffee]

Hi @sunknudsen I am not an expert in this field, I was seeking some good input on implementing a self-hosted VPN and came across your guide. I found the official documentation for Strongswan a bit difficult to follow and unclear in some parts and appreciated the effort you put in.

I wanted to reimplement it using the newer configuration format, and followed this document Migration from ipsec.conf to swanctl.conf from the Strongswan documentation to convert from one to the other.

I can say that it works, but, I am open to critique, criticism, suggestions for improvements etc.

[sunknudsen]

Closing as guide has been deprecated given I am no longer using it myself.

That said, open to peer reviewed pull request.