Documentation Index
Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt
Use this file to discover all available pages before exploring further.
A roadwarrior setup allows remote clients with dynamic or unknown IP addresses to connect to a central gateway. The gateway accepts any incoming connection from a peer that can present a valid certificate signed by the trusted CA.
Network topology
10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
moon-net moon carol
Certificate files
moon (gateway)
carol (roadwarrior)
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/carolCert.pem
/etc/swanctl/private/carolKey.pem
Configuration
moon (gateway)
carol (roadwarrior)
# /etc/swanctl/swanctl.conf
connections {
rw {
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
children {
net-net {
local_ts = 10.1.0.0/16
}
}
}
}
remote block has no id restriction — it accepts any client that presents a certificate signed by the trusted CA.# /etc/swanctl/swanctl.conf
connections {
home {
remote_addrs = moon.strongswan.org
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
local_ts = 10.1.0.0/16
start_action = start
}
}
}
}
start_action = start causes carol to initiate the tunnel immediately when the connection definition is loaded.DNS resolution at runtime
Carol’s remote_addrs = moon.strongswan.org is a hostname rather than an IP address. strongSwan resolves this via DNS at the time the connection is initiated, so carol’s configuration does not need to change if the gateway’s IP address changes.
Client identity with email address
Carol’s IKEv2 identity is carol@strongswan.org (an RFC 822 email address). This value must be present as a subjectAlternativeName (SAN) in carolCert.pem. The gateway uses this identity to distinguish clients from each other.
When generating carol’s certificate with pki, add the SAN with:pki --req ... --san carol@strongswan.org ...
Variant: virtual IP addresses
Roadwarriors typically have a different IP address each time they connect, making return routing from moon-net back to the client difficult. Assigning a virtual IP from a fixed pool solves this.
10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x | -- 10.3.0.1
moon-net moon carol virtual IP
Gateway configuration with pool
# /etc/swanctl/swanctl.conf
connections {
rw {
pools = rw_pool
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
children {
net-net {
local_ts = 10.1.0.0/16
}
}
}
}
pools {
rw_pool {
addrs = 10.30.0.0/16
}
}
Roadwarrior configuration requesting a virtual IP
# /etc/swanctl/swanctl.conf
connections {
home {
remote_addrs = moon.strongswan.org
vips = 0.0.0.0
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
local_ts = 10.1.0.0/16
start_action = start
}
}
}
}
vips = 0.0.0.0 tells the client to request an IPv4 virtual IP from the gateway using either IKEv2 configuration payloads or IKEv1 mode config.
Loading configuration and pools
Load credentials on both endpoints
Load address pools on the gateway
This step is only required on the gateway when using virtual IPs: Load connections on both endpoints
Carol’s tunnel initiates automatically due to start_action = start. 