Setting Up StrongSwan for Site-to-Site IPsec VPN

By /

StrongSwan is an open-source IPsec-based VPN solution that provides secure communication between two or more networks. In this guide, we’ll walk through the steps to set up StrongSwan on Ubuntu for a site-to-site IPsec VPN.

Prerequisites

Before we begin, ensure you have the following:

  • Two Ubuntu servers (Server A and Server B) with public IP addresses.
  • Inbound rules allowing UDP traffic on ports 4500 and 500 on both servers.
  • Basic knowledge of networking and IPsec.

Step 1: Install StrongSwan

Update the repository indexes and install StrongSwan on both servers:

$ apt update && apt upgrade -y
$ apt install strongswan -y

Step 2: Configure Kernel Parameters

Edit the /etc/sysctl.conf file to set the required kernel parameters:

$ cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF

$ sysctl -p /etc/sysctl.conf

Step 3: Generate Preshared Key

Generate a preshared key that both servers will use for authentication:

$ openssl rand -base64 64
<generated_preshared_key_from_server>

Step 4: Configure Server A

Edit the /etc/ipsec.secrets file on Server A:

$ cat /etc/ipsec.secrets
<server_public_ip> <client_public_ip> : PSK "<generated_preshared_key_from_server>"

Configure the VPN connection in /etc/ipsec.conf on Server A:

$ cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

# connection to Server B
conn server-to-client
        authby=secret
        left=%defaultroute
        leftid=<server_public_ip>
        leftsubnet=<server_private_ip>
        right=<client_public_ip>
        rightsubnet=<client_private_ip>
        ike=aes256-sha2_256-modp4096!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=86400s
        lifetime=28800s
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=route

Step 5: Configure Server B

Repeat the configuration steps (Step 4) on Server B, replacing references to Server A with Server B.

Step 6: Start the VPN

Start the StrongSwan service on both servers:

$ sudo systemctl start strongswan

Step 7: Verify the VPN

Check the status of the VPN connection on both servers:

$ sudo ipsec status

Test the connectivity by pinging the private IP address of the opposite server:

$ ping <opposite_server_private_ip>

Conclusion

Congratulations! You’ve successfully set up StrongSwan for a site-to-site IPsec VPN between two Ubuntu servers. StrongSwan provides a secure and reliable way to establish encrypted communication channels between networks, ensuring the confidentiality and integrity of data transmitted over the VPN.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top