StrongSwan is an opensource IPsec implementation and can be used as a site-to-site VPN.

Installation[edit | edit source]

Assuming that we have the following sites:

  • Site A: 3.15.161.169, 192.168.1.0/24
  • Site B: 107.189.11.145, 192.168.2.0/24

All Sites[edit | edit source]

On all sites running CentOS 8, install and enable the EPEL repo and then install the StrongSwan package.

# yum -y install epel-release
# yum -y install strongswan

Allow IP forward and disable redirects:

# cat >> /etc/sysctl.conf  <<EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
EOF
# sysctl -p /etc/sysctl.conf

All StrongSwan configs are located in /etc/strongswan/. There are two important files to configure:

  1. ipsec.conf contains each remote site's configuration and
  2. ipsec.secrets contains pre-shared secrets for each remote site.

A pre-shared secret for each site can be created with openssl:

openssl rand -base64 64

Site A[edit | edit source]

On Site A, configure:

/etc/strongswan/ipsec.secrets:

# source        destination
3.15.161.169    107.189.11.145 : PSK "secret"

/etc/strongswan/ipsec.conf:

# basic configuration
config setup
	charondebug="all"
	uniqueids=yes
	strictcrlpolicy=no

# connection to site B
conn A-to-B
	authby=secret
	left=%defaultroute
	leftid=3.15.161.169
	leftsubnet=192.168.1.0/24
	right=107.189.11.145
	rightsubnet=192.168.2.0/24
	ike=aes256-sha2_256-modp1024!
	esp=aes256-sha2_256!
	keyingtries=0
	ikelifetime=1h
	lifetime=8h
	dpddelay=30
	dpdtimeout=120
	dpdaction=restart
	auto=start

Masquerade traffic destined to this site from the remote site:

# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j MASQUERADE

Site B[edit | edit source]

Similar to Site A, but with the IPs for A and B swapped.