This page covers common configuration steps for strongSwan deployments and adds a practical minimal production baseline.
If you followed the setup guide, your main configuration files are typically:
/etc/ipsec.conf
/etc/ipsec.secrets
Newer deployments may also use:
/etc/swanctl/swanctl.conf
/etc/ipsec.conf)config setup
uniqueids=yes
conn net-net
auto=start
keyexchange=ikev2
type=tunnel
authby=psk
left=%defaultroute
leftid=@vpn-a.example
leftsubnet=10.10.0.0/24
right=203.0.113.20
rightid=@vpn-b.example
rightsubnet=10.20.0.0/24
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
dpdaction=restart
dpddelay=30s
/etc/ipsec.secrets)@vpn-a.example @vpn-b.example : PSK "change-me-strong-psk"
Protect secret permissions:
sudo chmod 600 /etc/ipsec.secrets
sudo chown root:root /etc/ipsec.secrets
leftid, rightid, authby, secrets)leftsubnet, rightsubnet)ike, esp)dpdaction, dpddelay)@fqdn) on both peers to avoid mismatches.500/udp, 4500/udp).Reload or restart strongSwan after config changes:
sudo systemctl restart strongswan
On some installs service name may be strongswan-starter:
sudo systemctl restart strongswan-starter
Confirm tunnel and security association state:
sudo ipsec statusall
sudo ipsec listalgs
Check routes and reachability across tunnel:
ip route
ping -c 3 10.20.0.1
/etc/ipsec.conf and /etc/ipsec.secrets securely.