In this lab, you will implement a Site-to-Site VPN using StrongSwan. You will configure the IKE (Internet Key Exchange) phases to establish a secure tunnel between two networks, simulating a branch office connection to a headquarters.
We begin by installing the StrongSwan suite and preparing the basic configuration for our two gateways (Peer A and Peer B).
๐ก StrongSwan uses a configuration file called `ipsec.conf` (or the newer `swanctl.conf`) to define the VPN parameters.
We must define the 'Security Association' (SA). This involves agreeing on the encryption (AES), the hash (SHA256), and the Diffie-Hellman group for the key exchange.
# /etc/ipsec.conf configuration for Peer A
conn site-to-site
authby=secret
left=10.0.1.1
leftsubnet=192.168.1.0/24
right=10.0.2.1
rightsubnet=192.168.2.0/24
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
type=tunnel
auto=startThe `ike` line defines Phase 1 (the secure channel), and the `esp` line defines Phase 2 (the actual data encryption). The `!` at the end forces the server to use only these specific algorithms.
Using a PSK is common for Site-to-Site, but for Remote Access VPNs, certificates (EAP-TLS) are far more secure.
| Parameter | Purpose | Recommended Value |
|---|---|---|
| IKE Version | Key Exchange Protocol | IKEv2 |
| Encryption | Data Confidentiality | AES-GCM-256 |
| DH Group | Key Agreement Strength | Group 14 (modp2048) or 19 (ecp256) |
| Hash | Integrity | SHA2-256 |
Once the service is restarted, we check the status to see if the IKE and ESP SAs have been successfully established.
Ensure that your firewall allows UDP ports 500 and 4500, as well as the ESP protocol (Protocol 50), otherwise the tunnel will never establish.
Verify exercises to earn โ 250 XP and unlock next lab level.