Cloudflare Docs
Magic WAN
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)

strongSwan

This tutorial contains a sample template of the ipsec.conf file for a working IPsec tunnel configuration established between a Linux machine running strongSwan and Cloudflare’s Magic service.

This ipsec.conf file is typically located in the /etc directory of the Linux machine.

​​ Configuration parameters

​​ Phase 1

  • Encryption
    • AES-CBC with 256-bit key length
    • AES-GCM with 256-bit key length
  • Integrity
    • SHA-256
  • Diffie-Hellman group
    • DH group 14 (2048-bit MODP group)
  • PRF
    • SHA-512

​​ Phase 2

  • Encryption
    • AES with 256-bit key length
  • Integrity
    • SHA-256
  • Diffie-Hellman group
    • DH group 14 (2048-bit MODP group)

​​ Configuration template

config setup
charondebug="all"
uniqueids=yes
conn %default
ikelifetime=4h
rekey=yes
reauth=no
keyexchange=ikev2
authby=secret
dpdaction=restart
closeaction=restart
conn <tunnel_name>
auto=start
mark = 50
type=tunnel
fragmentation=no
leftauth=psk
left=<IP_ADDR_OF_LINUX_UPLINK_TO_CF>
leftid=<IPSEC_ID_STRING_IN_RESULT_OF_PSK_KEY-GEN_VIA_CF_API>
leftsubnet=0.0.0.0/0
right=<CF_ANYCAST_IP>
rightid=<CF_ANYCAST_IP>
rightsubnet=0.0.0.0/0
rightauth=psk
ike=aes256gcm16-prfsha512-modp2048
esp=aes256gcm16-prfsha512-modp2048
replay_window=0

​​ Dead Peer Detection (DPD)

In the above ipsec.conf file in conn %default section, setting dpdaction=restart enables Dead Peer Detection (DPD) to actively check and re-establish IPsec tunnels in the event of communication timeouts. In addition, closeaction=restart is set to actively re-establish the tunnels in the event that the remote peer (usually a Cloudflare Magic service) unexpectedly closes it.

If you do not prefer this behavior, set the above parameters to none or remove them from the configuration file.

The mark parameter is a user-assigned 32-bit value/mask that marks or labels the xfrm route policy used for the tunnel connection. In the example file, the value is 50. You can choose any number you prefer within the 0 to 2^32 range, for example, 77, 1234, 888, and etc. When creating the VTI interface for a given IPsec tunnel, the VTI key value must match the mark value for the corresponding IPsec tunnel defined in the ipsec.conf file.

​​ strongwan.conf file

Update the /etc/strongswan.conf file with the configuration shown below. Specifically, install_routes = no disables strongSwan from installing a default route in route table 220, which strongSwan automatically creates. strongSwan then forces a route lookup in route table 220 via an IP rule policy it automatically configures in the system. This default behavior of strongSwan often interferes with the user’s desired routing behavior and should be disabled as the user sees fit.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
install_routes = no
install_virtual_ip = no
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf