Building a host-to-host VPN IPsec connection (Ubuntu 16.04)

Scenario

We own two Ubuntu machines running Ubuntu Mate server 16.04 operating system. Those two machines belong to the same sub net behind a NAT network. We wish to encrypt traffic between them, so if an advert logged in on our network won’t be able to identify the communication of those two machines.

Let’s call one machine ubuntu-red with an assigned IP address  192.168.1.60/24. Other machine is called ubuntu-blue with an assigned IP address 192.168.1.61/24.

Step 1

We have to Install strongswan and ipsec tools on both machines. On  Ubuntu this is done with the following command.

sudo apt-get install strongswan ipsec-tools

After the installation we should be able to check strongswan by executing the following command

sudo ipsec status

Step 2 – setting ubuntu-red

Edit the following files to setup the proper connection between the two machines. First we editing the ipsec.conf file that holds the variables that shape the connection. We add the following lines at the end of the file leaving the commented variables as they are.

sudo nano /etc/ipsec.conf

conn host-host

     authby=secret

     auto=route

     left=192.168.1.60

     right=192.168.1.61

     type=transport

     mobike=no

     keyexchange=ikev2

Step 3 – setting ubuntu-red

Editing the file that contains the secret of the connection. Setting up the connection with a pre-shared key (PSK).

sudo nano /etc/ipsec.secret

192.168.1.60 192.168.1.61 : PSK “secretpasswordhere”

Step 4 – setting ubuntu-blue

Edit the ipsec.conf file for the other side of the connection, ubuntu-blue. We add the following lines.

sudo nano /etc/ipsec.conf

conn host-host

     authby=secret

     auto=route

     left=192.168.1.61

     right=192.168.1.60

     type=transport

     mobike=no

     keyexchange=ikev2

Step 5 – setting ubuntu-red

Editing the file that contains the secret of the connection. Setting up the connection with a pre-shared key (PSK).

sudo nano /etc/ipsec.secret

192.168.1.60 192.168.1.61 : PSK “secretpasswordhere”

Step 6 – starting the connection

After each editing of the proper files we do a restart of the  IPsec connection by:

sudo ipsec restart

And then establish the connection by calling the host-host connection (the connection is named in the ipsec.conf file).

sudo ipsec up host-hot

You can check the status of the connection by giving the following command afterwards

sudo ipsec status

The connection between two machines is now encrypted and secured.

Source : example https://www.strongswan.org/testing/testresults/swanctl/host2host-cert/

wiki introduction to strong swan : https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Host-to-Host-Configurations

Host-to-host vpn connection with ecdsa certificates: https://www.gypthecat.com/easyish-ipsec-vpn-with-shared-ecdsa-certificates-for-host-to-host-connections