Kostenloses selbst gehostetes Site to Site VPN.
sudo apt update sudo apt install strongswan
IPSec Site-to-site VPN
| Standort | IP-Adresse | LAN |
|---|---|---|
| A (left) | 1.1.1.1 | 192.168.1.0/24 |
| B (right) | 2.2.2.2 | 192.168.2.0/24 |
Standort A
# /etc/ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn site-to-site
auto=start
keyexchange=ikev2
authby=secret
left=1.1.1.1 # öffentliche IP von A
leftsubnet=192.168.1.0/24 # internes Netz von A
right=2.2.2.2 # öffentliche IP von B
rightsubnet=192.168.2.0/24 # internes Netz von B
ike=aes256-sha256-modp1024!
esp=aes256-sha256!
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
# /etc/ipsec.secrets # <local-ip> <remote-ip> : PSK <password> 1.1.1.1 2.2.2.2 : PSK "EinStarkesPasswort123!"
Standort B
# /etc/ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn site-to-site
auto=start
keyexchange=ikev2
authby=secret
left=2.2.2.2 # öffentliche IP von B
leftsubnet=192.168.2.0/24 # internes Netz von B
right=1.1.1.1 # öffentliche IP von A
rightsubnet=192.168.1.0/24 # internes Netz von A
ike=aes256-sha256-modp1024!
esp=aes256-sha256!
dpdaction=restart
dpddelay=30s
dpdtimeout=120s
# /etc/ipsec.secrets # <local-ip> <remote-ip> : PSK <password> 2.2.2.2 1.1.1.1 : PSK "EinStarkesPasswort123!"
Auf beiden Standorten
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p
# Firewall erlauben sudo ufw allow 500,4500/udp # Leite Traffic für 192.168.1.0/24 nach 192.168.2.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT # Leite Traffic für 192.168.2.0/24 nach 192.168.1.0/24 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
sudo systemctl restart strongswan #Nope sudo systemctl restart strongswan-starter sudo ipsec statusall ip route ip xfrm policy
C:\Users\manuel.zarat>ssh root@176.103.220.16
The authenticity of host '176.103.220.16 (176.103.220.16)' can't be established.
ED25519 key fingerprint is SHA256:3zNch+1SSWrLC/ZO/wN0G+6MMxLweIzh3tWL1V106FM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '176.103.220.16' (ED25519) to the list of known hosts.
Enter passphrase for key 'C:\Users\manuel.zarat/.ssh/id_rsa':
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-139-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri May 9 01:42:22 PM CEST 2025
System load: 0.92 Processes: 87
Usage of /: 9.0% of 24.05GB Users logged in: 0
Memory usage: 9% IPv4 address for eth0: 176.103.220.16
Swap usage: 0% IPv6 address for eth0: 2a10:fc81:9388:a08c::1
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# sudo apt update
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@vm-fjqfnd2u:~# sudo apt install strongswan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan-charon strongswan-libcharon
strongswan-starter
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
The following NEW packages will be installed:
libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan strongswan-charon
strongswan-libcharon strongswan-starter
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 959 kB of archives.
After this operation, 4,243 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan amd64 5.9.5-2ubuntu2.3 [394 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-libcharon amd64 5.9.5-2ubuntu2.3 [266 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-charon amd64 5.9.5-2ubuntu2.3 [23.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-starter amd64 5.9.5-2ubuntu2.3 [156 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcharon-extauth-plugins amd64 5.9.5-2ubuntu2.3 [24.5 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan-standard-plugins amd64 5.9.5-2ubuntu2.3 [76.6 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan all 5.9.5-2ubuntu2.3 [18.7 kB]
Fetched 959 kB in 1s (1,206 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libstrongswan.
(Reading database ... 93565 files and directories currently installed.)
Preparing to unpack .../0-libstrongswan_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libstrongswan (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-libcharon.
Preparing to unpack .../1-strongswan-libcharon_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-libcharon (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-charon.
Preparing to unpack .../2-strongswan-charon_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-charon (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-starter.
Preparing to unpack .../3-strongswan-starter_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-starter (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package libcharon-extauth-plugins.
Preparing to unpack .../4-libcharon-extauth-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package libstrongswan-standard-plugins.
Preparing to unpack .../5-libstrongswan-standard-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan.
Preparing to unpack .../6-strongswan_5.9.5-2ubuntu2.3_all.deb ...
Unpacking strongswan (5.9.5-2ubuntu2.3) ...
Setting up libstrongswan (5.9.5-2ubuntu2.3) ...
Setting up strongswan-libcharon (5.9.5-2ubuntu2.3) ...
Setting up libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
Setting up strongswan-charon (5.9.5-2ubuntu2.3) ...
Setting up libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
Setting up strongswan-starter (5.9.5-2ubuntu2.3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/strongswan-starter.service → /lib/systemd/system/strongswan-starter.service.
Setting up strongswan (5.9.5-2ubuntu2.3) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# nano /etc/ipsec.secrets
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
Failed to restart strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
Failed to restart strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# service strongswan start
Failed to start strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# ^C
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
root@vm-fjqfnd2u:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-139-generic, x86_64):
uptime: 10 seconds, since May 09 13:52:17 2025
malloc: sbrk 2105344, mmap 0, used 1226144, free 879200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
176.103.220.16
2a10:fc81:9388:a08c::1
Connections:
site-to-site: 176.103.220.16...213.33.126.194 IKEv1, dpddelay=30s
site-to-site: local: [176.103.220.16] uses pre-shared key authentication
site-to-site: remote: [213.33.126.194] uses pre-shared key authentication
site-to-site: child: 192.168.150.0/24 === 192.168.160.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
site-to-site[1]: ESTABLISHED 10 seconds ago, 176.103.220.16[176.103.220.16]...213.33.126.194[213.33.126.194]
site-to-site[1]: IKEv1 SPIs: 26f57177203d9634_i* 10720151977037b9_r, pre-shared key reauthentication in 2 hours
site-to-site[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
root@vm-fjqfnd2u:~# ip route
default via 176.103.220.1 dev eth0 proto static
176.103.220.0/23 dev eth0 proto kernel scope link src 176.103.220.16
root@vm-fjqfnd2u:~# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
root@vm-fjqfnd2u:~# ip xfrm policy
src 192.168.150.0/24 dst 192.168.160.0/24
dir out priority 375423
tmpl src 176.103.220.16 dst 213.33.126.194
proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
dir fwd priority 375423
tmpl src 213.33.126.194 dst 176.103.220.16
proto esp reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
dir in priority 375423
tmpl src 213.33.126.194 dst 176.103.220.16
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter^C
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# ip xfrm policy
src 192.168.150.0/24 dst 192.168.160.0/24
dir out priority 375423
tmpl src 176.103.220.16 dst 213.33.126.194
proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
dir fwd priority 375423
tmpl src 213.33.126.194 dst 176.103.220.16
proto esp reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
dir in priority 375423
tmpl src 213.33.126.194 dst 176.103.220.16
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root@vm-fjqfnd2u:~#