Cancel Preloader

blog posts

  • Home
  • Cloud Computing
  • How to Deploy Site-to-Site IPsec VPNs with Cloud Servers
How to Deploy Site-to-Site IPsec VPNs with Cloud Servers

How to Deploy Site-to-Site IPsec VPNs with Cloud Servers

zain Cloud Computing March 16, 2025

Many Progressive Robot Cloud Server customers face challenges when configuring IPsec site-to-site VPNs. This guide simplifies the process by explaining the technology and walking you through an example setup.

What is IPsec?

What is IPsec?

IPsec is a set of protocols that secure data shared over public networks. It provides authentication and encryption for IP traffic. IPsec is commonly used for VPNs, which come in two types: remote access VPNs and site-to-site VPNs.

Remote access VPNs let individual users connect securely to a central network, like employees working from home. Site-to-site VPNs connect entire networks, such as linking office branches or connecting on-premise networks to the cloud.

Benefits of Site-to-Site VPNs

Site-to-site VPNs offer secure connections between networks. They improve access control, enhance security through encryption, and simplify network architecture. By using internal IP addresses, they avoid the need for public IPs, making them ideal for businesses with multiple locations.

Understanding Internet Key Exchange (IKE)

IKE is a protocol used to establish secure VPN tunnels. It involves two phases:

Phase 1 creates a secure channel for exchanging IKE messages.
Phase 2 handles the actual key exchange, using pre-shared keys or certificates.

IKEv2 is the more secure and advanced version of the protocol.

Deployment Modes: Route-Based vs. Policy-Based

Site-to-site VPNs can be deployed in two ways:

Route-Based VPNs use a virtual tunnel interface (VTI). Traffic is routed through this interface, making it ideal for hub-and-spoke setups.

Policy-Based VPNs define encryption domains using policies. They are simpler but only support point-to-point connections.

Configuring Cloud Servers as IPsec VPN Gateways

This example connects two private networks in different data centers using Ubuntu 22.04 and strongSwan software.

Step 1: Firewall Configuration

In the Progressive Robot CloudNX control panel, create security policies to allow VPN traffic. Ensure UDP ports 500 and 4500 are open. Apply the same policy to both VPN gateways.

Step 2: Server Configuration

Configure the private network interface on each server. Use Netplan to set IP addresses and static routes. For example:

On the DE server:

				
					network:  
  ethernets:  
    ens224:  
      dhcp4: false  
      addresses: [192.168.0.2/24]  
      routes:  
        to: [10.10.0.0/24]  
        via: [192.168.0.1]  
  versions: 2

On the UK server:

				
					network:  
  ethernets:  
    ens224:  
      dhcp4: false  
      addresses: [10.10.0.2/24]  
      routes:  
      - to: 192.168.0.0/24  
        via: 10.10.0.1  
  versions: 2

Apply the configuration with netplan apply and test connectivity by pinging the local VPN gateway.

Step 3: Install strongSwan

Install strongSwan and related packages on both VPN gateways:

				
					sudo apt-get update && sudo apt-get upgrade  
sudo apt install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y

Check the IPsec service status to ensure it’s running:

				
					systemctl status ipsec

Step 4: Enable IP Routing

Edit /etc/sysctl.conf to enable IP forwarding:

				
					net.ipv4.ip_forward=1  
net.ipv6.conf.all.forwarding=1  
net.ipv4.conf.all.accept_redirects = 0  
net.ipv6.conf.all.accept_redirects = 0

Reload the configuration:

				
					sysctl --system

Step 5: Configure strongSwan

Rename the default configuration file:

				
					mv /etc/ipsec.conf /etc/ipsec.conf.bak

Create a new /etc/ipsec.conf file. For the UK gateway:

				
					config setup  
    cachecrls=yes  
    strictcrlpolicy=yes  

conn vpn-to-de  
    keyexchange=ikev2  
    authby=psk  
    left=88.208.240.253  
    leftsubnet=10.10.0.0/24  
    right=217.160.48.91  
    rightsubnet=192.168.0.0/24  
    compress=no  
    dpdaction=restart  
    dpddelay=30s  
    esp=aes256-sha256-modp2048  
    ike=aes256-sha512-modp2048  
    ikelifetime=3h  
    lifetime=1h  
    keyingtries=%forever  
    keylife=3600s  
    rekeymargin=540s  
    authby=secret  
    auto=start

For the DE gateway, invert the left/right parameters.

Step 6: Test the VPN

Check the VPN status with:

				
					ipsec status

Use traceroute to confirm the path:

				
					traceroute 10.10.0.2

Step 7: Performance Testing

Install iPerf on the DE server and run it in server mode:

				
					iperf -s

On the UK server, test the connection:

				
					iperf -c 10.10.0.2

Final Thoughts

This guide provides a basic overview of IPsec VPNs and a step-by-step setup for site-to-site VPNs using Progressive Robot Cloud Servers. For more advanced configurations or assistance, contact Progressive Robot’s support team.

Email or chat with us for more details.

Stay secure and connected with Progressive Robot!

Tags:
  • Share :

Leave a Reply

Your email address will not be published. Required fields are marked *

X
How to Deploy Site-to-Site IPsec VPNs with Cloud Servers

Progressive Robot: Your Gateway to Comprehensive IT Solutions and Expert IT Services.

  • Address

    220 Chester Business Park, Heronsway,Chester, Cheshire CH4 9GB

  • Online Support

    info@progressiverobot.com

  • 01244 911212

    Mon-Fri 8am-5pm
sign up