VPN stands for Virtual Private Network. It is a service that protects your online activities like surfing, shopping, and banking online from malicious attacks and intrusion. It is used to create your privacy while accessing the internet. It does this by creating an encrypted connection between your computer and the internet, providing a private tunnel for your data, and hiding your IP address while using the internet. With a VPN you can freely go through the internet, read, and shop without nobody finding out who you are.

Internet Key Exchange Version 2 popularly known as IKEv2 is an enhancement of the internet key exchange protocol. IKEv2 dynamically enhances the function of negotiating the dynamic key exchange and authentication of the negotiating systems for VPN. It employs cryptographic protocols to accomplish the security requirements for key management. IKEv2’s main goal is to be a reliable tool that independently produces the same symmetric key for communication parties.

strongSwan

strongSwan is an open-source IPsec VPN solution for Linux, Android, Windows, FreeBSD, OS X, and iOS, that provides encryption and authentication to servers and clients. It implements both IKEv1 and IKEv2 exchange protocols to establish Security Associations (SA) between peers and dynamically update IP addresses and interfaces. It can secure remote network communications which makes connecting remotely the same as connecting locally.

strongSwan architecture includes:

• Gateways that are usually like a firewall but also serve a small network with DHCP and DNS.
• Remote Access / Roadwarrior Clients are laptops and mobile devices that access the network remotely via the gateway.
• Remote Hosts / Host-to-Host are just remote web servers or backup systems.
• Remote Sites / Site-to-Site are hosts in two or more subnets that are in different locations and have access to each other.

strongSwan provides different methods to authenticate a peer that has an IKE_SA established:

• Public Key Authentication by use of certificates that can be self-signed or signed by a common Certificate Authority.
• Pre-Shared-Key Authentication (PSK) involves sharing a strong secret key among many users.
• Extensible Authentication Protocol (EAP)that can be by use of username/password authentication or X.509 certificates.
• extended Authentication (XAuth) is a flexible authentication framework mainly based on username/password authentication.

Some of the features of strongSwan include:

• Virtual IP addresses are managed by an SQL database or IKE daemon.
• It contains powerful IPsec policies based on wildcards or intermediate CAs.
• Contains modular plugins for crypto algorithms and relational database interfaces.
• Optional built-in integrity and crypto tests for plugins and libraries.
• Smooth Linux desktop integration via the strongSwan NetworkManager applet.
• Storage of RSA private keys and certificates on a smartcard.
• strongSwan has a Dead Peer Detection that detects dangling tunnels.

Let us now see how to configure a Site-to-Site VPN using StrongSwan on Ubuntu 24.04

Details of our 2 sites (both Ubuntu):

• Site A Private IP: 192.168.200.43
• Site B Private IP: 192.168.200.130

Step 1: Install strongSwan on Ubuntu 24.04

Update your system:

sudo apt update && sudo apt upgrade -y

Configure the kernel to enable packet forwarding for IPv4. Edit the configuration file

sudo vim /etc/sysctl.conf

Add the following lines at the end of the file.

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Save and exit the file then run the following command to load settings.

sudo sysctl -p

Install strongSwan and supporting dependencies:

sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y

Set the service to start on boot.

sudo systemctl enable strongswan-starter
sudo systemctl is-enabled strongswan-starter

Check for the service status

$ systemctl status strongswan-starter
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.>
     Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; v>
     Active: active (running) since Mon 2025-04-21 19:20:14 EAT; 2min 1s ago
   Main PID: 2647 (starter)
      Tasks: 18 (limit: 9457)
     Memory: 5.7M
        CPU: 41ms
     CGroup: /system.slice/strongswan-starter.service
             ├─2647 /usr/lib/ipsec/starter --daemon charon --nofork
             └─2655 /usr/lib/ipsec/charon

Generate a secure PSK to be used by the peers using the following command.

$ head -c 24 /dev/urandom | base64
0kfrp1vSj006fxz2qjcwitqEGPepAnIR

Step 2: Configure “Site A” using strongSwan

Add the Key to /etc/ipsec.secrets file

 sudo vim /etc/ipsec.secrets

Add the key:

192.168.200.43 192.168.200.130 : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"

Save and exit the file.

Make a copy of the configuration file then set up the VPN configuration on that file.

sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
sudo vim /etc/ipsec.conf 

Add the following details to the file.

config setup
        charondebug="all"
        uniqueids=yes
conn SiteA-SiteB
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=138.201.255.67
        leftsubnet=192.168.200.43/24
        right=95.217.16.14
        rightsubnet=192.168.200.130/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Save and exit the file.

Where:

• config setup specifies general configuration information for IPSec which applies to all connections.
• charondebug = “all” defines how much Charon debugging output should be logged.
• uniqueids = yes states whether a particular participant ID should be kept unique.
• conn SiteA-SiteB is the connection name.
• authby=secret specifies how the connection is authenticated.
• auto=start allows the connection to start by default.
• type=tunnel is the type of connection.
• left=138.201.255.67 is the public IP address of server A.
• leftsubnet=192.168.200.43/24 is the subnet/private IP of server A.
• right=95.217.16.14 is the public IP address of server B/remote server.
• rightsubnet=192.168.200.130/24 is the subnet/private IP of server B.
• ike=aes256-sha1-modp1024 is the type of encryption when the Internet key exchange.
• keyexchange=ikev2 is the Internet key exchange version.
• ikelifetime=28800s is the time before the re-authentication of keys.
• esp=aes256-sha1! is the encapsulation security suite of protocols.
• aggressive states whether to use Aggressive or Main Mode.
• keyingtries states the number of attempts that should be made to negotiate a connection.
• lifetime defines how long a particular instance of a connection should last, from successful negotiation to expiry.
• dpddelay specifies the time interval with which exchanges are sent to the peer.
• dpdtimeout specifies the timeout interval to delete connections in case of inactivity.
• dpdaction states how to use the Dead Peer Detection(DPD) protocol to manage the connection.

If you have an active firewall, configure it to add the rules

sudo iptables -t nat -A POSTROUTING -s 192.168.200.43/24 -d 192.168.200.130/24 -j MASQUERADE

Step 3: Configure “Site B” using strongSwan

First, add the PSK in the /etc/ipsec.secrets file.

sudo vim /etc/ipsec.secrets

Add the key.

192.168.200.130 192.168.200.43 : PSK "0kfrp1vSj006fxz2qjcwitqEGPepAnIR"

Save and edit the file.

Copy the configuration file to create a backup then set up the VPN configuration on that file.

sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
sudo nano /etc/ipsec.conf 

Then append the following details to the file.

config setup
        charondebug="all"
        uniqueids=yes
conn SiteA-SiteB
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=95.217.16.147
        leftsubnet=192.168.200.130/24
        right=138.201.255.67
        rightsubnet=192.168.200.43/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Save and exit the file.

If you have an active firewall, configure it with the following rules

sudo iptables -t nat -A POSTROUTING -s 192.168.200.130/24 -d 192.168.200.43/24 -j MASQUERADE

Step 4: Start strongSwan VPN server

Restart the VPN on both gateways.

$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...

Check the status of the tunnel

sudo ipsec status

Verify you can access the private subnets on either gateway.

From Site A:

ping 192.168.200.130

From site B:

ping 192.168.200.43

You can start and stop IPsec with the following command:

sudo ipsec stop
sudo ipsec start

Conclusion

strongSwan is an IPsec-based VPN solution that is basically a keying daemon that uses IKEv2 protocol to establish Security Associations (SAs) between peers. strongSwan IPsec solution runs on Linux 2.6, 3.x, 4.x and 5.x kernels, Android, FreeBSD, OS X, iOS and Windows. With different authentication methods like XAuth, PSK, and EAP, strongSwan provides a secure way to connect to a network either locally or remotely.

More guides:

• Install and Configure Pritunl VPN on Ubuntu
• Build Open vSwitch from Source on Debian and Ubuntu
• How To Install Jenkins on Ubuntu