Posted inNetwork

Building a Site-to-Site VPN with StrongSwan: Secure and Professional Branch Connectivity

Network tutorial - IT technology blog
Network tutorial - IT technology blog

Branch Connectivity: When Leased Lines are a Luxury

Do you have two offices in Hanoi and Saigon that need to share file servers or access internal databases, but you don’t want to spend thousands of dollars every month on dedicated Leased Lines? A Site-to-Site VPN over the Internet is the most economical solution. In the Linux world, StrongSwan is the “king” of IPsec due to its extreme stability, high load capacity, and perfect compatibility with hardware devices like Cisco, Juniper, or Mikrotik.

Many beginners are often intimidated by IPsec because the configuration looks more “academic” than OpenVPN or WireGuard. In reality, once you grasp the logic, you’ll find it extremely professional and rigorous, especially in enterprise infrastructures requiring strict compliance.

IPsec and StrongSwan: Understand Quickly to Do It Right

Don’t rush to type commands before understanding the core concepts. IPsec is a suite of protocols working together. The two most important components you need to focus on are:

  • IKE (Internet Key Exchange): Like a “handshake” and ID check. It negotiates encryption algorithms and creates security keys. Always prioritize IKEv2 for faster connection speeds and better link recovery.
  • ESP (Encapsulating Security Payload): These are the “armored vehicles” carrying your data through the risky Internet environment.

StrongSwan acts as the brain (IKE Daemon) managing connection setup, while the actual packet encryption is executed by the Linux Kernel at lightning-fast speeds.

Practical Lab Environment

To make it easy to visualize, we will set up a connection between two Ubuntu Servers representing two ends:

  • Site A (Headquarters):
    • Public IP: 1.1.1.1
    • Internal Network: 10.10.1.0/24
  • Site B (Branch Office):
    • Public IP: 2.2.2.2
    • Internal Network: 10.10.2.0/24

Important note: Plan your IP scheme carefully to avoid overlapping ranges between branches. If you’re struggling with subnetting, I usually use toolcraft.app to quickly calculate host and broadcast ranges, avoiding silly configuration errors from the start.

Detailed Deployment Steps

Step 1: Install Software Packages

Run this command on both servers to install StrongSwan and the necessary libraries:

sudo apt update
sudo apt install strongswan strongswan-pki libcharon-extra-plugins -y

Step 2: Enable Packet Forwarding (IP Forwarding)

Since the server acts as a VPN Gateway, it needs permission to forward packets between network interfaces. Open the /etc/sysctl.conf file and activate the following lines:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Apply the configuration immediately without a reboot:

sudo sysctl -p

Step 3: Set Up Pre-Shared Key (PSK) Authentication

For both sides to trust each other, we use the Pre-Shared Key (PSK) method. In practice, a PSK should be at least 20 characters long, including both numbers and letters, to ensure security.

Edit the /etc/ipsec.secrets file on both servers:# Format: IP_A IP_B : PSK "YourPassword" 1.1.1.1 2.2.2.2 : PSK "StrongPassword_2024_Security"

Step 4: Configure the IPsec Tunnel

This is the soul of the entire system. At Site A, edit /etc/ipsec.conf as follows:

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids=yes

conn siteA-to-siteB
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    
    # Local (Site A)
    left=1.1.1.1
    leftsubnet=10.10.1.0/24
    
    # Remote (Site B)
    right=2.2.2.2
    rightsubnet=10.10.2.0/24
    
    # Use AES-256 for maximum security
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

For Site B, the configuration logic is identical, but you need to swap the left and right values (Left is always itself).

Step 5: Activate the Connection

Restart the service to apply the new parameters:

sudo ipsec restart

Check the results with the command:

sudo ipsec statusall

When you see the ESTABLISHED line appear, congratulations: the two offices are officially connected via a secure tunnel.

Real-world Troubleshooting Experience

VPN not coming up or unstable? Don’t panic, check these 3 points for troubleshooting:

  1. Firewall blocking ports: IPsec requires opening ports 500 and 4500 (UDP). If using UFW, run: sudo ufw allow 500,4500/udp.
  2. Monitor logs directly: Use the command tail -f /var/log/syslog | grep charon. If you see the “NO_PROPOSAL_CHOSEN” error, it means there is a mismatch in the encryption algorithms (IKE/ESP) between the two sides.
  3. Hanging on large file transfers (MTU/MSS): This is a very common issue. IPsec packets include additional headers, often exceeding the traditional 1500-byte size. Force the MSS down to about 1360 bytes using Iptables to resolve this permanently: 
    sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Conclusion

Building a Site-to-Site VPN with StrongSwan gives you full control over your network infrastructure without relying on any third-party service providers. Although the configuration can be strict, in return, you get an enterprise-grade system ready to scale to hundreds of different branches. Good luck with your setup! If you get “stuck” at any step, feel free to leave a question below!

Share:
Tags: