In this lab, you will use StrongSwan on Linux to establish a secure Site-to-Site IPsec tunnel between two simulated branch offices, utilizing Pre-Shared Keys (PSK) for Phase 1 authentication and ESP for data encryption.
The ipsec.conf file defines the connection parameters, including the local and remote gateways, the subnets to be protected (leftsubnet/rightsubnet), and the authentication method.
💡 Pro-tip: Use auto=start in the connection definition to ensure StrongSwan automatically attempts to bring up the tunnel immediately upon service startup or failure.
This command initializes the IPsec daemon in the foreground, allowing you to see real-time logging of the IKE negotiation phases.
Once the tunnel is established, you must verify that both Phase 1 (IKE SA) and Phase 2 (IPsec SA) are active and that traffic is flowing through the encrypted tunnel.
⚠️ If Phase 1 succeeds but Phase 2 fails, the issue is almost always a mismatch in the 'subnets' definition or the 'Proposal' (encryption algorithms) between the two peers.
| Phase | Protocol | Function |
|---|---|---|
| Phase 1 | IKE | Authenticates peers / Secure channel |
| Phase 2 | ESP | Encrypts actual data payload |
| Status | ipsec status | Verifies active SAs |
Verify exercises to earn ★ 240 XP and unlock next lab level.