Configure strongSwan VPN With Smallstep
This configuration was tested with strongSwan 5.9.13.
Configure strongSwan to accept Smallstep-issued Client Certificates
In this section, you'll configure strongSwan to use full EAP-TLS client authentication with Smallstep client certificates.
-
In Smallstep, under Mobile Devices, create (or go to) the Device Collection for the devices that will be VPN clients.
-
Under the Accounts tab, add a VPN Account.
- For Connection Type, choose
IKEv2 with IPSec
- For Key Type, choose
RSA_2048
- Add your Remote Address and Remote ID
- Choose Save
- For Connection Type, choose
-
Once you’ve created the VPN Account, download the Root CA Certificate from the VPN Settings page. This is the CA your clients will get certificates from.
-
Copy the Root CA certificate you just downloaded into
/etc/swanctl/x509ca/accounts_root_ca.crt
on your strongSwan servers. -
In
/etc/swanctl/swanctl.conf
, update theconnections.<conn>.remote
section to look like:remote { id = %any cacerts = accounts_root_ca.crt auth = eap-tls }
You can constrain the IKE
id
to match a subject name from the certificate, if you wish. See the strongSwan documentation for details. -
Restart strongSwan. You now have client EAP-TLS authentication for your VPN!
For testing, you can get a certificate from the Accounts CA using the Smallstep UI. Visit Certificate Manager → Authorities → Smallstep Accounts CA, and get a certificate on that page.
To deploy and manage certificates for strongSwan to all your VPN clients, you can use MDM or the Smallstep agent app.
Configure strongSwan with a Server TLS Certificate
In this section, you'll configure a strongSwan Server TLS certificate issued from your Smallstep CA.
-
Add a Virtual Machine Collection in Smallstep, for your VPN servers
-
Install
step-agent
on a VPN server, and make sure it is running as a service and is connected to Smallstep. -
Add a Workload Collection for your strongSwan server, selecting Custom Client and Server as the Workload Type.
-
When creating the Workload Collection, use Advanced Settings to select the following:
- Key Type: 2048-bit RSA (for maximum compatibility)
- Server certificate location:
/etc/swanctl/x509/vpn.crt
- Server key location:
/etc/swanctl/private/vpn.key
- Reload method: systemd
- Unit name:
strongswan.service
You may need to adjust the user, group, or file locations to match your specific OS and distribution.
-
Deploy the new Workload Collection.
-
Confirm that the Smallstep-managed certificate and private key for strongSwan appear on the VM, in
/etc/swanctl/x509/vpn.crt
and/etc/swanctl/private/vpn.key
. These will be managed and renewed by thestep-agent
process. -
The
vpn.crt
file is a PEM bundle containing the server certificate and the Workloads Intermediate CA certificate. strongSwan will only read the first certificate invpn.crt
. So, the Intermediate CA certificate will need to be in a separate file.Run the following to separate the two certificates:
sudo cat /etc/swanctl/x509/vpn.crt | sudo awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/{split_after=1} n==1{print > "/etc/swanctl/x509ca/intermediate.crt"}'
Run
step certificate inspect
to confirm that your Intermediate CA certificate was written to/etc/swanctl/x509ca/intermediate.crt
. -
Now let’s configure strongSwan to use your new server TLS certificate. In
/etc/swanctl/swanctl.conf
, yourconnections.<conn>.local
section should look like:local { auth = eap-tls certs = vpn.crt cacerts = intermediate.crt id = vpn.example.com }
The
cacerts
file is the Workload Intermediate CA certificate, for strongSwan to send in the TLS handshake. This allows the client to complete a trust chain back to the Workloads Root CA, which must be trusted by all clients (this is handled by Smallstep’s agent app).The
id
value should match the Subject Common Name in your server certificate. -
Restart strongSwan.
You should now have server authentication enabled.