We help IT Professionals succeed at work.

Strongswan IPSec Recommendation

Hello,

I have a tunnel configured with strongSwan working perfectly, but I wish to get some recommendations to enable maximum performance, compression and security in this site-to-site connection.

I would like to get recommendations from the experts to ipsec.conf settings, using, if possible, IKEv2.

This is my ipsec.conf:
config setup
  plutodebug=all
  klipsdebug=all
  charonstart=yes
  plutostart=yes
  keep_alive=10s

conn %default
  keyingtries=%forever
  dpdaction=restart
  dpddelay=60s

conn site-to-site
  reqid=1632
  compress=yes
  authby=secret
  left=1.1.1.1
  leftid=1.1.1.1
  leftsubnet=192.168.1.0/24
  leftfirewall=yes
  lefthostaccess=yes
  right=2.2.2.2
  rightid=2.2.2.2
  rightsubnet=192.168.2.0/24
  auto=start

Thanks in advance!
Comment
Watch Question

Software Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Well turning of debugging is a first quick win.. Not having to write data to disk allways helps.
And writing EVERYTHING is quite a lot...

Renegitiating can be quicker if you limit it to 1 (one) choise for a link.
You can trade a little speed up in for bit less security bij keeping making the interval's longer.
(less renegotiations, but also less security because keys are used longer.
Enabling PFS can alleviate that a little.

If you have forever retrying renogotiation, keep in mind that there is sufficient lapse between two attempts.
otherwise to can become a denial of service .. (self inflicted...)
FabioConsultant

Author

Commented:
Hello Noci,

Thank you indeed! Great tips!

Regarding compression, PFS, PFS Group, IKE, ESP, etc... What do you recommend?

Thanks in advance!
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
On IKE/ESP   AES is faster then 3DES so that's prefered.
Compression allways helps (esp if you have a fast processor on a relatevly slow link).
PFS yes
PFS group as high as possible (needs to be the same on both sides).
FabioConsultant

Author

Commented:
Noci,

Thank you again!

I'll accept both answers as a solution!

Do you have any IPSec.conf example?

Explore More ContentExplore courses, solutions, and other research materials related to this topic.