How to Configure OpenSWAN for Client Private IP Assignment (IPSec Alternative to OpenVPN)


7 views

When migrating from OpenVPN to OpenSWAN, the primary technical challenge lies in replicating the client IP assignment functionality. In your OpenVPN setup, the server 192.168.240.0 255.255.255.0 directive handles this automatically by creating a virtual subnet.

OpenSWAN uses a different approach for IP assignment compared to OpenVPN's TUN-based allocation:

  • IPSec operates at network layer (Layer 3) instead of transport layer
  • Uses IKE (Internet Key Exchange) for key management
  • Requires explicit virtual_private configuration

Here's a working OpenSWAN configuration example for client IP assignment:

config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    plutostderrlog=/var/log/pluto.log
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn roadwarrior
    auto=add
    pfs=yes
    compress=no
    type=tunnel
    left=your.server.ip
    leftnexthop=%defaultroute
    leftsubnet=0.0.0.0/0
    right=%any
    rightsubnetwithin=0.0.0.0/0
    rightaddresspool=192.168.240.100-192.168.240.200
    authby=secret
    ike=aes256-sha2;modp2048
    phase2=esp
    phase2alg=aes256-sha2;modp2048
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

To replicate your OpenVPN's authentication (certificates + LDAP), consider these OpenSWAN alternatives:

# X.509 Certificate Authentication
conn x509
    leftcert=serverCert.pem
    rightcert=clientCert.pem
    auto=add

# Pre-Shared Key Alternative
conn psk
    authby=secret
    auto=add

To push routes similar to OpenVPN's push "route 10.10.64.0 255.255.252.0":

# In ipsec.conf
conn routed
    also=roadwarrior
    leftsubnet=10.10.64.0/22
    rightsubnet=192.168.240.0/24
  • Check /var/log/secure for authentication errors
  • Verify KLIPS or NETKEY module loading with ip xfrm policy
  • Test basic connectivity before adding complex routing

For iOS/Android compatibility, ensure:

# Use IKEv1 for broader compatibility
ikev2=no
# Include these phase1 algorithms
ike=3des-sha1;modp1024,aes128-sha1;modp1024

When migrating from OpenVPN to IPSec solutions like OpenSWAN, the key functionality we need to preserve is the ability to assign private IP addresses to clients - just like OpenVPN's server directive and ifconfig-pool-persist mechanism. Here's how OpenSWAN handles this through its virtual_private configuration.

The essential elements for client IP assignment in OpenSWAN:

conn myvpn
    authby=secret
    auto=add
    keyingtries=3
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    rekey=yes
    ikelifetime=8h
    keylife=1h
    type=tunnel
    left=%defaultroute
    leftsubnet=10.10.64.0/22
    right=%any
    rightsubnet=192.168.240.0/24
    rightaddresspool=192.168.240.100-192.168.240.200
    pfs=no
    ike=aes256-sha1;modp1024
    phase2alg=aes256-sha1;modp1024

Unlike OpenVPN's certificate+LDAP authentication shown in your config, OpenSWAN typically uses:

  • Pre-shared keys (PSK) for basic authentication
  • X.509 certificates for stronger authentication
  • XAUTH for username/password authentication

To match OpenVPN's auth-user-pass functionality:

conn xauth
    # ... (previous parameters)
    authby=secret
    xauth=server
    xauthserver=/etc/ipsec.d/xauth-secrets
    modecfgdns=xxx.xxx.xxx.xxx
    leftxauthserver=yes
    rightxauthclient=yes

The equivalent of OpenVPN's push "route" directive:

conn myvpn
    # ... (previous parameters)
    leftsubnet=10.10.64.0/22
    rightsubnet=192.168.240.0/24
    # For additional routes:
    modecfgopts="10.10.64.0/255.255.252.0"

Essential commands for troubleshooting:

ipsec auto --status
ipsec setup --start
ipsec whack --listen
tcpdump -n -i eth0 udp port 500 or udp port 4500

IPSec typically has lower overhead than OpenVPN, but requires kernel support. Modern implementations like LibreSWAN may offer better mobile compatibility.