All Pages > howto > IPsec > strongSwan 4.0 and earlier
IPsec with public key authentication on strongSwan < 5.0.0
Setup
Generate an RSA keypair
Exchange public keys with your peer
- Display the public key. Send the key data to your peer.
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
- Convert your peer's public key to the Base64 RFC 3110 format using the pubkey-converter script, if necessary.
Configuration
Configure the phase 1 IKE parameters
In this example, we'll use the following settings:
| Key | Value |
|---|---|
| Encryption | AES-128 |
| Hash | HMAC-SHA1 |
| DH Group | 5 (modp1536) |
| Lifetime | 28800 seconds |
| Peer address | 192.0.2.2 |
| Local address | 192.0.2.1 |
Note: strongSwan < 5.0.0 will read PEM-formatted private keys, but requires public keys to be added to the configuration in Base64 RFC 3110 format. Convert your host's public key from PEM to Base64 RFC 3110 for inclusion in ipsec.conf as described below.
- Configure a connection policy in ipsec.conf for your peer. The
leftrsasigkeyattribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, andrightrsasigkeyis your peer's key.
- All done! Configure the phase 2 parameters as you otherwise would.
Full GRE/IPsec example
# ipsec.conf - strongSwan IPsec configuration file
keyexchange=ikev1
dpdaction=restart
# peer IPs
left=192.0.2.1
right=192.0.2.2
# phase 1 parameters
ike=aes128-sha1-modp1536!
ikelifetime=28800s
# authentication
authby=pubkey
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
# phase 2 parameters
esp=aes128-sha1!
pfs=yes
pfsgroup=modp1536
lifetime=3600s
type=transport
leftprotoport=gre
rightprotoport=gre
# startup
auto=route
keyingtries=