Skip to content

How to setup IPSEC L2L Site to Site VPN connection with Strongswan (Ubuntu-Cisco)

Diagram of a site to site vpn connection between a Home pc and a Branch Office network

A Site-to-site VPN is a type of VPN connection that is created between two separate locations. It provides the ability to connect geographically separate locations. for example a linux server can be connected to a local computer behind a virtual private network in a remote office.

STEP 1: Install the VPN Tool

On server A, run the following command to install strongswan

Linux:

apt install strongswan -y

STEP 2: Configure the VPN Tool

cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF

STEP 3: Backup Ipsec.conf and Ipsec.secrets for previous connections

Linux:

cp /etc/ipsec.conf /etc/ipsec.conf.bkup
cp /etc/ipsec.secrets /etc/ipsec.secrets.bkup

STEP 4: Edit ipsec config

You can find config file in /etc/ipsec.conf
Just paste the config below

It is very important that all the values match on both Linux and Cisco

conn vpn
keyexchange=ikev1
aggressive=no
authby=secret
auto=route
esp=3des-sha1-modp1024
ike=3des-sha1-modp1024
ikelifetime=28800
left=LINUX_PUBLIC_IP_ADDRESS
right=CISCO_PUBLIC_IP_ADDRESS

keyexchangeike | ikev1 | ikev2
method of key exchange; which protocol should be used to initialize the connection.
this value should match on both machines

esp = <cipher suites>
comma-separated list of ESP encryption/authentication algorithms to be used for the connection

ike = <cipher suites>
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used

ikelifetime = 3h | <time>
how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated.

In my case I needed to setup connection to Cisco that already was setup.

STEP 5: Establish The Connection

After setting up, we bring up the tunnel connection with the below command.

sudo ipsec up vpn # where 'vpn' is the connection name

You can check the status of the connection with the following commands

sudo ipsec statusall
sudo ipsec status

The output will be as below:To restart ipsec , use:

sudo ipsec restart

 

Published inLinuxSecurity

Comments are closed.