Install Strongswan - A Tool to Setup IPsec Based VPN in Linux

IPsec is a standard which provides the security at network layer. It consist of authentication header (AH) and encapsulating security payload (ESP) components. AH provides the packet Integrity and confidentiality is provided by ESP component . IPsec ensures the following security features at network layer.

  • Confidentiality
  • Integrity of packet
  • Source Non. Repudiation
  • Replay attack protection

Strongswan is an open source implementation of IPsec protocol and Strongswan stands for Strong Secure WAN (StrongS/WAN). It supports the both version of automatic keying exchange in IPsec VPN (Internet keying Exchange (IKE) V1 & V2).

Strongswan basically provides the automatic keying sharing between two nodes/gateway of the VPN and after that it uses the Linux Kernel implementation of IPsec (AH & ESP). Key shared using IKE mechanism is further used in the ESP for the encryption of data. In IKE phase, strongswan uses the encryption algorithms (AES,SHA etc) of OpenSSL and other crypto libraries. However, ESP component of IPsec uses the security algorithm which are implemented in the Linux Kernel. The main features of Strongswan are given below.

  • 509 certificates or pre-shared keys based Authentication
  • Support of IKEv1 and IKEv2 key exchange protocols
  • Optional built-in integrity and crypto tests for plugins and libraries
  • Support of elliptic curve DH groups and ECDSA certificates
  • Storage of RSA private keys and certificates on a smartcard.

It can be used in the client / server (road warrior) and gateway to gateway scenarios.

How to Install

Almost all Linux distro’s, supports the binary package of Strongswan. In this tutorial, we will install the strongswan from binary package and also the compilation of strongswan source code with desirable features.

Using binary package

Strongswan can be installed using following command on Ubuntu 14.04 LTS .

$sudo aptitude install strongswan

Installation of strongswan

The global configuration (strongswan.conf) file and ipsec configuration (ipsec.conf/ipsec.secrets) files of strongswan are under /etc/ directory.

Pre-requisite for strongswan source compilation & installation

  • GMP (Mathematical/Precision Library used by strongswan)
  • OpenSSL     (Crypto Algorithms from this library)
  • PKCS (1,7,8,11,12)    (Certificate encoding and smart card integration with Strongswan )


1) Go to /usr/src/ directory using following command in the terminal.

$cd /usr/src

2) Download the source code from strongswan site suing following command

 $sudo wget

(strongswan-5.2.1.tar.gz is the latest version.)

Downloading software3) Extract the downloaded software and go inside it using following command.

$sudo tar –xvzf strongswan-5.2.1.tar.gz; cd strongswan-5.2.1

4) Configure the strongswan as per desired options using configure command.

./configure --prefix=/usr/local -–enable-pkcs11 -–enable-openssl

checking packages for strongswan

If GMP library is not installed, then configure script will generate following error.

GMP library error

Therefore, first of all, install the GMP library using following command and then run the configure script.

gmp installation

However, if GMP is already installed and still above error exists then create soft link of library at /usr/lib , /lib/, /usr/lib/x86_64-linux-gnu/ paths in Ubuntu using following command.

$ sudo ln -s /usr/lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu/

softlink of library

After the creation of softlink, again run the ./configure script and it may find the gmp library. However, it may generate another error of gmp header file which is shown the following figure.

GMP header file issu

Install the libgmp-dev package using following command for the solution of above error.

$sudo aptitude install libgmp-dev

Installation of Development library of GMP

After installation of development package of gmp library, again run the configure script and if it does not produce any error, then the following output will be displayed.

Output of Configure scirpt

Type the following commands for the compilation and installation of strongswan.

 $ sudo make ; sudo make install 

After the installation of strongswan , the Global configuration (strongswan.conf) and ipsec policy/secret configuration files (ipsec.conf/ipsec.secretes) are placed in /usr/local/etc directory.

Strongswan can be used as tunnel or transport mode depends on our security need. It provides well known site-2-site and road warrior VPNs. It can be use easily with Cisco,Juniper devices.

Shah 3:00 pm


Your email address will not be published. Required fields are marked *