Skip to content

How to setup IPSEC L2L Site to Site VPN connection with Strongswan (Ubuntu-Cisco)

Published on February 19, 2020

Last updated on August 22, 2023

Diagram of a site to site vpn connection between a Home pc and a Branch Office network

A Site-to-site VPN is a type of VPN connection that is created between two separate locations. It provides the ability to connect geographically separate locations. for example a linux server can be connected to a local computer behind a virtual private network in a remote office.

STEP 1: Install the VPN Tool

On server A, run the following command to install strongswan

Linux:

apt install strongswan -y

STEP 2: Configure sysctl and iptables

cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

STEP 3: Backup Ipsec.conf and Ipsec.secrets for previous connections

Linux:

cp /etc/ipsec.conf /etc/ipsec.conf.bkup
cp /etc/ipsec.secrets /etc/ipsec.secrets.bkup

STEP 4: Edit ipsec config

You can find config file in /etc/ipsec.conf
Just paste the config below

It is very important that all the values match on both Linux and Cisco

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
charondebug="all"

conn vpn
type=tunnel
keyexchange=ikev2
aggressive=no
authby=secret
auto=add
ike=aes256-sha1-modp1024
esp=aes128-sha1
ikelifetime=1440m
left=LINUX_PUBLIC_IP_ADDRESS
right=CISCO_PUBLIC_IP_ADDRESS
rightsubnet=CISCO_SUBNETS
dpddelay=300s
dpdtimeout=120s
dpdaction=restart
rekey=no
keylife=3600s
closeaction=restart

keyexchangeike | ikev1 | ikev2
method of key exchange; which protocol should be used to initialize the connection.
this value should match on both machines

esp = <cipher suites>
comma-separated list of ESP encryption/authentication algorithms to be used for the connection

ike = <cipher suites>
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used

ikelifetime = 3h | <time>
how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.

In my case I needed to setup connection to Cisco that already was setup.

STEP 5: Establish The Connection

After setting up, we bring up the tunnel connection with the below command.

sudo ipsec up vpn # where 'vpn' is the connection name

You can check the status of the connection with the following commands

sudo ipsec statusall
sudo ipsec status

The output will be as below:To restart ipsec , use:

sudo ipsec restart

 

Post Views: 15,032
Published inLinuxSecurity