Setup a Site to Site IPsec VPN With Strongswan and PreShared Key Authentication

Today we will setup a Site to Site ipsec VPN with Strongswan, which will be configured with PreShared Key Authentication.

After our tunnels are established, we will be able to reach the private ips over the vpn tunnels.

Get the Dependencies:

Update your repository indexes and install strongswan:

12	$ apt update && sudo apt upgrade -y$ apt install strongswan -y

Set the following kernel parameters:

$ cat >> /etc/sysctl.conf << EOFnet.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0EOF$ sysctl -p /etc/sysctl.conf

Generate Preshared Key:

We will need a preshared key that both servers will use:

$ openssl rand -base64 6487zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ

Details of our 2 Sites:

Site A:

Location: Paris, FranceExternal IP: 51.15.139.201Internal IP: 10.10.27.1/24

Site B:

Location: Amsterdam, NetherlandsExternal IP: 51.15.44.48Internal IP: 10.9.141.1/24

Configure Site A:

We will setup our VPN Gateway in Site A (Paris), first to setup the /etc/ipsec.secrets file:

$ cat /etc/ipsec.secrets# source      destination51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

Now to setup our VPN configuration in /etc/ipsec.conf:

cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.1/24  right=51.15.44.48  rightsubnet=10.9.141.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Firewall Rules:

$ sudo iptables -t nat -A POSTROUTING -s 10.9.141.0/24 -d 10.10.27.0/24 -j MASQUERADE

Configure Site B:

We will setup our VPN Gateway in Site B (Amsterdam), setup the /etc/ipsec.secrets file:

$ cat /etc/ipsec.secrets51.15.44.48 51.15.139.201 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

Next to setup our VPN Configuration:

cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to paris datacenterconn amsterdam-to-paris  authby=secret  left=%defaultroute  leftid=51.15.44.48  leftsubnet=10.9.141.1/24  right=51.15.139.201  rightsubnet=10.10.27.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Firewall Rules:

$ sudo iptables -t nat -A POSTROUTING -s 10.10.27.0/24 -d 10.9.41.0/24 -J MASQUERADE

Start the VPN:

Start the VPN on both ends:

1	$ sudo ipsec restart

Get the status of the tunnel, in this case we are logged onto our Site A (Paris) Server:

$ sudo ipsec statusSecurity Associations (1 up, 0 connecting):paris-to-amsterdam[2]: ESTABLISHED 14 minutes ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8c868ee_i c9d58dbd_oparis-to-amsterdam{1}:   10.10.27.1/24 === 10.9.141.1/24

Test if we can see the remote end on its private range:

$ ping 10.9.141.97PING 10.9.141.97 (10.9.141.97) 56(84) bytes of data.64 bytes from 10.9.141.97: icmp_seq=1 ttl=64 time=14.6 ms

Set the service to start on boot:

1	$ sudo systemctl enable strongswan

Then your VPN should be setup correctly.

Other useful commands:

Start / Stop / Status:

$ sudo ipsec up connection-name$ sudo ipsec down connection-name$ sudo ipsec restart$ sudo ipsec status$ sudo ipsec statusall

Get the Policies and States of the IPsec Tunnel:

12	$ sudo ip xfrm state$ sudo ip xfrm policy

Reload the secrets, while the service is running:

1	$ sudo ipsec rereadsecrets

Check if traffic flows through the tunnel:

1	$ sudo tcpdump esp

Adding more connections to your config:

If you have to add another site to your config, the example of the ipsec.secrets will look like:

$ cat /etc/ipsec.secrets51.15.139.201 51.15.44.48 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"51.15.139.201 51.15.87.41  : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ"

And the ipsec.conf:

cat /etc/ipsec.conf# basic configurationconfig setup        charondebug="all"        uniqueids=yes        strictcrlpolicy=no# connection to amsterdam datacenterconn paris-to-amsterdam  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.161/32  right=51.15.44.48  rightsubnet=10.9.141.97/32  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start# connection to frankfurt datacenterconn paris-to-frankfurt  authby=secret  left=%defaultroute  leftid=51.15.139.201  leftsubnet=10.10.27.1/24  right=51.15.87.41  rightsubnet=10.9.137.1/24  ike=aes256-sha2_256-modp1024!  esp=aes256-sha2_256!  keyingtries=0  ikelifetime=1h  lifetime=8h  dpddelay=30  dpdtimeout=120  dpdaction=restart  auto=start

Just remember to configure the config on the Frankfurt VPN Gateway, and the example of the status output will look like the following:

$ sudo ipsec statusSecurity Associations (2 up, 0 connecting):paris-to-frankfurt[2]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.87.41[51.15.87.41]paris-to-frankfurt{1}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc62a1f_i c95b8f78_oparis-to-frankfurt{1}:   10.10.27.1/24 === 10.9.137.1/24paris-to-amsterdam[1]: ESTABLISHED 102 seconds ago, 10.10.27.161[51.15.139.201]...51.15.44.48[51.15.44.48]paris-to-amsterdam{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7b36756_i cc54053c_oparis-to-amsterdam{2}:   10.10.27.1/24 === 10.9.141.1/24