IPsec/L2TP VPN Strongswan Site-Site on Debian 8

A Virtual Private Network (VPN) is a way of using a secure network tunnel to carry all traffic between different locations on the internet – for example between your local office workstations and servers in your ElasticHosts account, or from your office workstations to your ElasticHosts cloud servers and then out into the internet from there.

In this tutorial, we’ll set up a VPN server using Strongswan on Debian Linux. To do this, we’ll be using the Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec, commonly referred to as an ‘L2TP/IPsec’ (pronounced “L2TP over IPsec”) VPN. For more information, see the L2TP/IPsec standard (RFC 3193).

Before You Begin

You would need to have two Cloud VMs.

The steps in this tutorial assume that you are using Debian Linux, but should be similar for other versions of Linux or BSDs if you have a preference. We recommend running all the commands below as root, or using sudo.

If you are looking to use the VPN to connect to several servers within ElasticHosts, make sure that the others are connected to the VPN server by a VLAN as described in our Set Up a VLAN guide. The servers in this guide will use the following addresses:

Server A: 10.0.0.1/24 Server B: 10.0.0.2/24

If you don’t intend to connect to other machines within your ElasticHosts account (for example, if you want to use the VPN for increased privacy while browsing), you won’t need the second server. Finally, if you’re using a firewall such as iptables or the built-in ElasticHosts firewall, you’ll need to make sure that UDP traffic is allowed to port 500 (IKE) and port 4500 (for IPsec Nat traversal).

1. Configure Server A

Make sure that all of the packages are up and running:

$ apt-get update

In order to install strongswan and ipsec, use the following command:

$ apt-get install ipsec-tools strongswan-starter

Crypto maps are being configured into the IPSec configuration file. Open the file for editing:

$ nano /etc/ipsec.conf

Please bear in mind that here for left= you have to enter the IP of the Cloud VM you are currently working on, in our case, Server A - right= stands for the server that we are going to connect to, in this case, Server B.

conn red-to-blue  
    authby=secret
    auto=route
    keyexchange=ike
    left=10.0.0.1
    right=10.0.0.2
    type=transport
    esp=JF0oDx6OXdR2AAx

Open the file which holds the PSKs:

$ nano /etc/ipsec.secrets

It is very important to separate each element with spaces, NOT tabs.

LeftIp RightIP : PSK "YourPassword"  

Example:

10.0.0.1 10.0.0.2 : PSK "LmwJSJE61gj1Swx"  

Restart the IPsec:

ipsec restart  

The output must be similar to this:

Stopping strongSwan IPsec...  
Starting strongSwan 5.2.1 IPsec [starter]...  

After that, run the command below:

$ ipsec statusall

The output must be similar to this:

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):  
  uptime: 4 seconds, since Feb 15 18:46:29 2017
  malloc: sbrk 1323008, mmap 0, used 292464, free 1030544
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:  
  83.222.226.50
  10.0.0.1
Connections:  
 red-to-blue:  10.0.0.1...10.0.0.2  IKEv1/2
 red-to-blue:   local:  [10.0.0.1] uses pre-shared key authentication
 red-to-blue:   remote: [10.0.0.2] uses pre-shared key authentication
 red-to-blue:   child:  dynamic === dynamic TRANSPORT
Routed Connections:  
 red-to-blue{1}:  ROUTED, TRANSPORT
 red-to-blue{1}:   10.0.0.1/32 === 10.0.0.2/32 
Security Associations (0 up, 0 connecting):  
  none

2. Configure Server B

The setup is pretty much the same as for Server A.

Make sure that the packages are up to date:

$ apt-get update

Install ipsec and strongswan:

$ apt-get install ipsec-tools strongswan-starter

The ipsec.conf needs to be edited. Change the configuration to the opposite of what you've done on Server A:
- the left= must be the IP of the machine we are currently working on, Server B, which you set earlier on Server A as right=.

See below:

conn blue-to-red  
    authby=secret
    auto=route
    keyexchange=ike
    left=10.0.0.2
    right=10.0.0.1
    type=transport
    esp=JF0oDx6OXdR2AAx

Open the file which holds the PSKs.

$ nano /etc/ipsec.secrets

Again, it's very important to separate each element with spaces, NOT tabs.

LeftIp RightIP : PSK "YourPassword"  

Example:

10.0.0.1 10.0.0.2 : PSK "LmwJSJE61gj1Swx"  

Restart the IPsec:

$ ipsec restart

3. Test if it works

You can start a ping from Server A:

$ ping -s 4048 10.0.0.2

Without stopping it, go to Server B and write:

$ watch ipsec statusall

If you see that the number of bytes and packets is increasing along with the PING running, everything must be fine.