Peer to Peer IPSEC VPN with StrongSwan

This will walk you through setting up an Ipsec VPN between 2 networks using 2 hosts using strongswan to build the tunnel.

This was my go to solution to connect Amazon AWS VPCs across regions… that is until AWS allowed peering VPCs across regions in December of 2018. So connecting VPCs using peering is preferred over having 2 machines (1 per VPC) running 24×7 to maintain the connections.

The thing to remember about ipsec is that you should not overlap network subnets across networks. It is ideal to have a unique CIDR for each location that will be used in the peer to peer VPN. There are methods to handle overlapping subnets, but that is another post.

In this example, we have 2 networks.
In Virginia Network 1 is 10.32.252.0/24
In Ohio Network 2 is 10.33.252.0/24

We want to bridge the 2 networks together.strongswan example

We need to create a host in each network. The host must have a private IP and a Public IP. You may use a physical host with 2 interfaces or even a host with a single internal IP that has a one to one NAT to a public IP with all protocols forwarded. Either way is fine for this solution.

On network 1, let us create a host as 10.32.252.150 as private and 1.1.1.1 as our public ip.
On network 2, let us create a host as 10.33.252.150 as private and 2.2.2.2 as our public ip.

On each host, we want to install strongswan

apt-get install strongswan

Edit the config files for each host as follows:

VA Side (private 10.32.252.150, public 1.1.1.1):
####################################
# /etc/ipsec.conf
#
config setupstrongswan example
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn net-net
left=10.32.252.150
leftsubnet=10.32.0.0/16
leftid=@va
leftfirewall=yes
right=2.2.2.2
rightsubnet=10.33.0.0/16
rightid=@oh
auto=route
####################################
# /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
@va @oh : PSK "secret"

Then on the other side:

OH Side (private 10.33.252.150, public 2.2.2.2):
#############################################
# /etc/ipsec.conf

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn net-net
left=10.33.252.150
leftsubnet=10.33.0.0/16
leftid=@oh
leftfirewall=yes
right=1.1.1.1
rightsubnet=10.32.0.0/16
rightid=@va
auto=route
###############################################
# /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

@oh @va : PSK "secret"

This is added to both hosts:

#############################################
# both hosts:
#####################################
# /etc/sysctl.conf
# Add the following:

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

After we edit sysctl we need to reload for the changes:

######################################
# Reload sysctl
$ sysctl -p

Now that AWS offers cross region VPC peering, the need to dedicated VPNs isn’t as important. But if you need to use this for AWS hosts we need to disable host check on the EC2 instance.

In AWS, the traffic that is destined for the far end of the VPN tunnel must be routed to the IP of the local VPN endpoint. You do this using a route table assigned to the subnet. Once the host check is disabled on the EC2 instance, the IP becomes eligible for a routing target. Create the route entry in the route table assigned to the subnet.

To Test the VPN, use the following commands.

########################
# Testing
ipsec up net-net
ipsec statusall
Tagged , , . Bookmark the permalink.

5 Responses to Peer to Peer IPSEC VPN with StrongSwan

  1. Aditya Sharma says:

    Couold you please let me know of the configuration in case of overlapping subnets? I have a situation where the remote side has the same subnet as on my side. So i want to NAT the subnet from my end to a different subnet.

  2. Aditya sharma says:

    I read the solution. However, my infra is in AWS and I cant assign an arbitrary address to the new interface. I just want my /25 local network to be natted and then go through the tunnel and the same is reverse translated for the response. Basically, the remote addresses need not be natted, natting is required only at my end. Any idea on that?

    • mike says:

      In AWS that’s a problem. Any ipsec with overlapping subnets requires some sort of nat. For AWS, instead of an ipsec tunnel, I would recommend recreating one of the VPCs with a unique CIDR. Then use VPC peering to create the link between the 2 VPCs. Eliminated the need for a custom solution and erases the expense of having 2 hosts running 24/7 ($$$). I think that’s going to be your best solution for AWS. Please open an issue in the SLSMK Forums if you want more detailed help.

  3. Rafael Frometa says:

    We are trying to build a VPN from a strong wan (in an ubuntu server in AWS) to our Cisco ASA in our Office network. In the ASA we have a server (private ip 172.16.3.7 natted to a Public IP: 66.172.xxx.71); in the strong swan something similar: private IP 10.0.101.11 natted to 3.22x.xx.180. Phase I is up but not phase II: error: no matching CHILD_SA config found for 66.172.xxx.71/32 === 3.22x.xx.180/32

    Configuration in the strong swan:
    conn vpn_tunnel11
    also=wuikesettings
    #leftfirewall=yes
    left=3.22x.xx.180
    leftid=3.22x.xx.180
    leftsourceip=10.0.101.11
    right=66.172.xxx.71
    rightid=66.172.xxx.71
    rightsourceip=172.16.3.7
    auto=route

    Note 1: In wuikesettings we have the routers configs, they are fine: phase I is up Note 2: I tested the configuration in the asa against a cisco router: it works.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
26 − 14 =