CloudBridge Connector interoperability – StrongSwan

July 8, 2020

Contributed by: S

StrongSwan is an opensource IPSec implementation for Linux platforms. You can configure a CloudBridge Connector tunnel between a Citrix ADC appliance and a StrongSwan appliance to connect two datacenters or extend your network to a cloud provider. The Citrix ADC appliance and the StrongSwan appliance form the end points of the CloudBridge Connector tunnel and are called peers.

Example of a CloudBridge Connector tunnel configuration

As an illustration of the traffic flow in a CloudBridge Connector tunnel, consider an example in which a CloudBridge Connector tunnel is set up between the following devices:

Citrix ADC appliance NS_Appliance-1 in a datacenter designated as Datacenter-1
StrongSwan appliance StrongSwan-Appliance-1 in a datacenter designated as Datacenter-2

NS_Appliance-1 and StrongSwan-Appliance-1 enable communication between private networks in Datacenter-1 and Datacenter-2 through the CloudBridge Connector tunnel. In the example, NS_Appliance-1 and StrongSwan-Appliance-1 enable communication between client CL1 in Datacenter-1 and server S1 in Datacenter-2 through the CloudBridge Connector tunnel. Client CL1 and server S1 are on different private networks.

On NS_Appliance-1, the CloudBridge Connector tunnel configuration includes IPSec profile entity NS_StrongSwan_IPSec_Profile, CloudBridge Connector tunnel entity NS_StrongSwan_Tunnel, and policy based routing (PBR) entity NS_StrongSwan_Pbr.

localized image

The following table lists the settings used in this example.

Main settings of the CloudBridge Connector tunnel setup

Entity	Details
IP address of the CloudBridge Connector tunnel end point (NS_Appliance-1) in Datacenter-1	198.51.100.100
IP address of the CloudBridge Connector tunnel end point (StrongSwan-Appliance-1) in Datacenter-2	203.0.113.200
Datacenter–1’s subnet whose traffic is to be protected over the CloudBridge Connector tunnel	10.102.147.0/24
Datacenter–2’s subnet whose traffic is to be protected over the CloudBridge Connector tunnel	10.20.20.0/24

Settings on Citrix ADC appliance NS_Appliance-1 in Datacenter-1

SNIP1(for reference purposes only)	198.51.100.100
IPSec profile	NS_StrongSwan_IPSec_Profile	IKE version: v1, Encryption algorithm: AES, Hash algorithm: HMAC_SHA1
psk = examplepresharedkey (Note: This is an example of a pre-share key, for illustration. Citrix does not recommend to use this string in your CloudBridge Connector configuration)
CloudBridge Connector tunnel	NS_StrongSwan_Tunnel	Remote IP = 203.0.113.200, Local IP= 198.51.100.100, Tunnel protocol = IPSEC, IPSec profile= NS_StrongSwan_IPSec_Profile
Policy based route	NS_StrongSwan_Pbr	Source IP range = Subnet in the Datacenter-1=10.102.147.0-10.102.147.255, Destination IP range =Subnet in Datacenter-2=10.20.20.0-10.20.20.255, IP Tunnel = NS_StrongSwan_Tunnel

Points to consider for a CloudBridge Connector tunnel configuration

Before you begin configuring CloudBridge connector tunnel, make sure that:

You have a basic knowledge about linux configurations.
You have a basic Knowledge about IPSec protocol suite.
The StrongSwan appliance is UP and running, is connected to the Internet, and is also connected to the private subnets whose traffic is to be protected over the CloudBridge Connector tunnel.
The Citrix ADC appliance is UP and running, is connected to the Internet, and is also connected to the private subnets whose traffic is to be protected over the CloudBridge Connector tunnel.
The following IPSec settings are supported for a CloudBridge Connector tunnel between a Citrix ADC appliance and a StrongSwan appliance.
- IPSec mode: Tunnel mode
- IKE version: Version 1
- IKE authentication method: Pre-Shared Key
- IKE encryption algorithm: AES
- IKE hash algorithm: HMAC SHA1
- ESP encryption algorithm: AES
- ESP hash algorithm: HMAC SHA1
You must specify the same IPSec settings on the Citrix ADC appliance and the StrongSwan appliance at the two ends of the CloudBridge Connector tunnel.
Citrix ADC provides a common parameter (in IPSec profiles) for specifying an IKE hash algorithm and an ESP hash algorithm. It also provides another common parameter for specifying an IKE encryption algorithm and an ESP encryption algorithm. Therefore, in the StrongSwan appliance, you must specify the same hash algorithm and same encryption algorithm in IKE and ESP parameters in the IPSec.conf file.
You must configure the firewall at the Citrix ADC end and StrongSwan end to allow the following.
- Any UDP packets for port 500
- Any UDP packets for port 4500
- Any ESP (IP protocol number 50) packets

Configure StrongSwan for the CloudBridge Connector tunnel

To configure a CloudBridge connector tunnel between a Citrix ADC appliance and a StrongSwan appliance, perform the following tasks on the StrongSwan appliance:

Specify IPsec connection information in ipsec.conf file. ipsec.conf file defines all control and configuration information for IPsec connections in the strongSwan appliance.
Specify pre-shared key in ipsec.secrets file. ipsec.secrets file defines secrets for IKE/IPsec authentication for IPsec connections in the strongSwan appliance.

The procedures for configuring IPsec VPN (CloudBridge Connector tunnel) on a StrongSwan appliance might change over time, depending on the StrongSwan release cycle. Citrix recommends that you follow the official StrongSwan documentation for Configuring IPSec VPN tunnels.

Following sample excerpt of ipsec.conf file specifies IPsec information for setting up the IPsec VPN tunnel, described in Example of a CloudBridge Connector Configuration topic. For more information, see CloudBridge Connector Configuration pdf.

Following sample excerpt of ipsec.secrets file specifies the IKE authentication pre-shared key for setting up the IPsec VPN tunnel, described in Example of a CloudBridge Connector Configuration topic.

/etc/ipsec.secrets: PSK ‘examplepresharedkey’ #pre-shared key for IPsec IKE authentication`

Configuring the Citrix ADC appliance for the CloudBridge Connector tunnel

To configure a CloudBridge Connector tunnel between a Citrix ADC appliance and a StrongSwan appliance, perform the following tasks on the Citrix ADC appliance. You can use either the Citrix ADC command line or the Citrix ADC graphical user interface (GUI):

Create an IPSec profile. An IPSec profile entity specifies the IPSec protocol parameters, such as IKE version, encryption algorithm, hash algorithm, and authentication method to be used by the IPSec protocol in the CloudBridge Connector tunnel.
Create an IP tunnel that uses IPSec protocol, and associate the IPSec profile with it. An IP tunnel specifies the local IP address (CloudBridge Connector tunnel endpoint IP address (of type SNIP) configured on the Citrix ADC appliance), remote IP address (CloudBridge Connector tunnel endpoint IP address configured on the StrongSwan appliance), protocol (IPSec) used to set up the CloudBridge Connector tunnel, and an IPSec profile entity. The created IP tunnel entity is also called the CloudBridge Connector tunnel entity.
Create a PBR rule and associate it with the IP tunnel. A PBR entity specifies a set of rules and an IP tunnel (CloudBridge Connector tunnel) entity. The source IP address range and the destination IP address range are the conditions for the PBR entity. Set the source IP address range to specify the Citrix ADC-side subnet whose traffic is to be protected over the tunnel, and set the destination IP address range to specify the StrongSwan side subnet whose traffic is to be protected over the tunnel.

To create an IPSEC profile by using the Citrix ADC command line

At the command prompt, type:

add ipsec profile <name> -psk <string> -ikeVersion v1 -encAlgo AES -hashAlgo HMAC_SHA1
show ipsec profile <name>

To create an IPSEC tunnel and bind the IPSEC profile to it by using the Citrix ADC command line

At the command prompt, type:

add ipTunnel <name> <remote> <remoteSubnetMask> <local> -protocol IPSEC –ipsecProfileName <string>
show ipTunnel <name>

To create a PBR rule and bind the IPSEC tunnel to it by using the Citrix ADC command line

At the command prompt, type:

add pbr <pbrName> ALLOW –srcIP <subnet-range> -destIP <subnet-range> -ipTunnel <tunnelName>
apply pbrs
show pbr <pbrName>

To create an IPSEC profile by using the GUI

Navigate to System > CloudBridge Connector > IPSec Profile.
In the details pane, click Add.
In the Add IPSec Profile page, set the following parameters:
- Name
- Encryption Algorithm
- Hash Algorithm
- IKE Protocol Version
Configure the IPSec authentication method to be used by the two CloudBridge Connector tunnel peers to mutually authenticate: Select the Pre-shared key authentication method and set the Pre-Shared Key Exists parameter.
Click Create, and then click Close.

To create an IP tunnel and bind the IPSEC profile to it by using the GUI

Navigate to System > CloudBridge Connector > IP Tunnels.
On the IPv4 Tunnels tab, click Add.
In the Add IP Tunnel page, set the following parameters:
- Name
- Remote IP
- Remote Mask
- Local IP Type (In the Local IP Type drop-down list, select Subnet IP).
- Local IP (All the configured IP addresses of the selected IP type are in the Local IP drop-down list. Select the desired IP from the list.)
- Protocol
- IPSec Profile
Click Create, and then click Close.

To create a PBR rule and bind the IPSEC tunnel to it by using the GUI

Navigate to System > Network > PBR.
On the PBR tab, click Add.
In the Create PBR page, set the following parameters:
- Name
- Action
- Next Hop Type (Select IP Tunnel)
- IP Tunnel Name
- Source IP Low
- Source IP High
- Destination IP Low
- Destination IP High
Click Create, and then click Close.

The corresponding new CloudBridge Connector tunnel configuration on the Citrix ADC appliance appears in the GUI. The current status of the CloudBridge connector tunnel is shown in the Configured CloudBridge Connector pane. A green dot indicates that the tunnel is up. A red dot indicates that the tunnel is down. The following commands create settings of Citrix ADC appliance NS_Appliance-1 in “Example of a CloudBridge Connector Configuration:

    > add ipsec profile NS_StrongSwan_IPSec_Profile -psk examplepresharedkey -ikeVersion v1 –encAlgo AES –hashalgo HMAC_SHA1

    Done

    > add iptunnel NS_StrongSwan_Tunnel 203.0.113.200 255.255.255.255 198.51.100.100 –protocol IPSEC –ipsecProfileName NS_StrongSwan_IPSec_Profile

    Done

    > add pbr NS_StrongSwan_Pbr -srcIP 10.102.147.0-10.102.147.255 –destIP 10.20.0.0-10.20.255.255 –ipTunnel NS_StrongSwan_Tunnel

    Done

    > apply pbrs

    Done

Monitoring the CloudBridge Connector tunnel

You can monitor the performance of CloudBridge Connector tunnels on a Citrix ADC appliance by using CloudBridge Connector tunnel statistical counters. For more information about displaying CloudBridge Connector tunnel statistics on a Citrix ADC appliance, see Monitoring CloudBridge Connector Tunnels.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

CloudBridge Connector interoperability – StrongSwan

July 8, 2020

Contributed by: S

CloudBridge Connector interoperability – StrongSwan

Example of a CloudBridge Connector tunnel configuration

Points to consider for a CloudBridge Connector tunnel configuration

Configure StrongSwan for the CloudBridge Connector tunnel

Configuring the Citrix ADC appliance for the CloudBridge Connector tunnel

Monitoring the CloudBridge Connector tunnel

CloudBridge Connector interoperability – StrongSwan

In this article