← Back To List

site-to-site IPSec VPN between strongSwan and Cisco Router with IKEv2


In previous post, we shared how to connect strongSwan (AWS) with Cisco Router (on-premise) using IKEv1.

As promised, we will show how to use IKEv2 for the same scenario.

It’s really simple to switch from IKEv1 to IKEv2. There is minimum change for strongSwan configuration, although there are quite some added configuration for Cisco.

Network diagram

The left side(mumbai) is using strongSwan hosted on AWS, and the right side(france) is using on-premise Cisco router. There is also NAT configured, because site-to-site VPN between different companies usually require the encryption domain to use public IP address.

IP InfoLeft side(mumbai)Right side(france)
VPN device/swstrongSwan 5.9.8
Debian 12
Cisco C931-4P
VPN GW IP35.154.207.10431.xxx.xxx.48
Encryption Domain (VPN host or subnet) (NAT to (NAT to

IPSec parameters

Phase I Settings
Authentication MethodPre-Shared
Diffie-Helman Group2 (Mod1024)
Encryption AlgorithmAES256
Hash AlgorithmSHA-1
SA Timeout28800
Phase II Settings
EncapsulationESP (encrypted)
Perfect Forward Secrecy (PFS)NO PFS
Encryption AlgorithmAES256
Hash AlgorithmSHA-1
Lifetime (In Seconds)3600 (Default)

Difference in configuration

strongSwan (mumbai)

/etc/swanctl/swanctl.conf: the change is minimum, only add one line “version = 2”, that’s it!

# default settings for all conns (e.g cert, IP pools)
conn-defaults {
      version = 1
      reauth_time = 28800
      proposals = aes256-sha1-modp1024

# default settings for all child configs (e.g. traffic selectors)
child-defaults {
      mode = tunnel
      start_action = trap|start
      rekey_time = 3600

connections {
   mumbai-france : conn-defaults {
      local_addrs  =
      remote_addrs = 31.xxx.xxx.48
      proposals = aes256-sha1-modp1024
      version = 2 # the only change required
      mobike = no #optional

      local {
         auth = psk
         id =
      remote {
         auth = psk
         id = 31.xxx.xxx.48
      children {
         mumbai-france1 : child-defaults {
            local_ts  =
            remote_ts = 31.xxx.xxx.89/32
	    start_action = trap|start
            esp_proposals = aes256-sha1


secrets {
   ike-1 {
      # a - local, b - remote
      id-1b = 31.xxx.xxx.48
      secret = ANsvU5WIwmQ6

Cisco Router (france)

On Cisco, there are some typing to do.

crypto ikev2 proposal ikev2proposal
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy ikev2policy
 match fvrf any
 proposal ikev2proposal
crypto ikev2 keyring keys
 peer mumbai-strongswan
  pre-shared-key local ANsvU5WIwmQ6
  pre-shared-key remote ANsvU5WIwmQ6
crypto ikev2 profile ikev2profile
 match identity remote address
 authentication remote pre-share
 authentication local pre-share
 keyring local keys
crypto ipsec transform-set vpn-sha1-aes256 esp-aes 256 esp-sha-hmac
 mode tunnel
crypto map francemap 2 ipsec-isakmp
 set peer
 set transform-set vpn-sha1-aes256
 set ikev2-profile ikev2profile
 match address TEST-MUMBAI-SS
ip nat inside source static 31.xxx.xxx.89
ip access-list extended TEST-MUMBAI-SS
 permit ip host 31.xxx.xxx.89 host

Verify VPN Status on Cisco Router

#sho crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         31.xxx.xxx.48/4500   none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/150 sec

#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
        K - No IKE
ivrf = (none)
Peer            I/F          Username        Group/Phase1_id          Uptime   Status  Gi4                           00:03:05 UA


Cisco document: example config between strongSwan and Cisco router (IKEv1 and IKEv2)


strongSwan’s official example of IKEv2 with pre-shared keys

← Back To List