MBCDN

Dies ist eine alte Version des Dokuments!

Inhaltsverzeichnis

Beispiel
Mitschnitt
Links

Kostenloses selbst gehostetes Site to Site VPN.

sudo apt update
sudo apt install strongswan

Beispiel

IPSec Site-to-site VPN

Standort	IP-Adresse	LAN
A (left)	198.51.100.1	192.168.1.0/24
B (right)	203.0.113.1	192.168.2.0/24

Standort A

# /etc/ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn site-to-site
    auto=start
    keyexchange=ikev2
    authby=secret
    left=198.51.100.1           # öffentliche IP von A
    leftsubnet=192.168.1.0/24   # internes Netz von A
    right=203.0.113.1           # öffentliche IP von B
    rightsubnet=192.168.2.0/24  # internes Netz von B
    ike=aes256-sha256-modp1024!
    esp=aes256-sha256!
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s

# /etc/ipsec.secrets

198.51.100.1 203.0.113.1 : PSK "EinStarkesPasswort123!"

Standort B

# /etc/ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn site-to-site
    auto=start
    keyexchange=ikev2
    authby=secret
    left=203.0.113.1            # öffentliche IP von B
    leftsubnet=192.168.2.0/24   # internes Netz von B
    right=198.51.100.1          # öffentliche IP von A
    rightsubnet=192.168.1.0/24  # internes Netz von A
    ike=aes256-sha256-modp1024!
    esp=aes256-sha256!
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s

# /etc/ipsec.secrets

198.51.100.1 203.0.113.1 : PSK "EinStarkesPasswort123!"

Auf beiden Standorten

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# entweder
sudo ufw allow 500,4500/udp

#oder
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT

sudo systemctl restart strongswan #Nope
sudo systemctl restart strongswan-starter
sudo ipsec statusall
ip route
ip xfrm policy

Mitschnitt

C:\Users\manuel.zarat>ssh root@176.103.220.16
The authenticity of host '176.103.220.16 (176.103.220.16)' can't be established.
ED25519 key fingerprint is SHA256:3zNch+1SSWrLC/ZO/wN0G+6MMxLweIzh3tWL1V106FM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '176.103.220.16' (ED25519) to the list of known hosts.
Enter passphrase for key 'C:\Users\manuel.zarat/.ssh/id_rsa':
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-139-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri May  9 01:42:22 PM CEST 2025

  System load:  0.92              Processes:             87
  Usage of /:   9.0% of 24.05GB   Users logged in:       0
  Memory usage: 9%                IPv4 address for eth0: 176.103.220.16
  Swap usage:   0%                IPv6 address for eth0: 2a10:fc81:9388:a08c::1


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# sudo apt update
Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@vm-fjqfnd2u:~# sudo apt install strongswan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan-charon strongswan-libcharon
  strongswan-starter
Suggested packages:
  libstrongswan-extra-plugins libcharon-extra-plugins
The following NEW packages will be installed:
  libcharon-extauth-plugins libstrongswan libstrongswan-standard-plugins strongswan strongswan-charon
  strongswan-libcharon strongswan-starter
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 959 kB of archives.
After this operation, 4,243 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan amd64 5.9.5-2ubuntu2.3 [394 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-libcharon amd64 5.9.5-2ubuntu2.3 [266 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-charon amd64 5.9.5-2ubuntu2.3 [23.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan-starter amd64 5.9.5-2ubuntu2.3 [156 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcharon-extauth-plugins amd64 5.9.5-2ubuntu2.3 [24.5 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstrongswan-standard-plugins amd64 5.9.5-2ubuntu2.3 [76.6 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 strongswan all 5.9.5-2ubuntu2.3 [18.7 kB]
Fetched 959 kB in 1s (1,206 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libstrongswan.
(Reading database ... 93565 files and directories currently installed.)
Preparing to unpack .../0-libstrongswan_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libstrongswan (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-libcharon.
Preparing to unpack .../1-strongswan-libcharon_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-libcharon (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-charon.
Preparing to unpack .../2-strongswan-charon_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-charon (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan-starter.
Preparing to unpack .../3-strongswan-starter_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking strongswan-starter (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package libcharon-extauth-plugins.
Preparing to unpack .../4-libcharon-extauth-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package libstrongswan-standard-plugins.
Preparing to unpack .../5-libstrongswan-standard-plugins_5.9.5-2ubuntu2.3_amd64.deb ...
Unpacking libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
Selecting previously unselected package strongswan.
Preparing to unpack .../6-strongswan_5.9.5-2ubuntu2.3_all.deb ...
Unpacking strongswan (5.9.5-2ubuntu2.3) ...
Setting up libstrongswan (5.9.5-2ubuntu2.3) ...
Setting up strongswan-libcharon (5.9.5-2ubuntu2.3) ...
Setting up libcharon-extauth-plugins (5.9.5-2ubuntu2.3) ...
Setting up strongswan-charon (5.9.5-2ubuntu2.3) ...
Setting up libstrongswan-standard-plugins (5.9.5-2ubuntu2.3) ...
Setting up strongswan-starter (5.9.5-2ubuntu2.3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/strongswan-starter.service → /lib/systemd/system/strongswan-starter.service.
Setting up strongswan (5.9.5-2ubuntu2.3) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# nano /etc/ipsec.secrets
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
Failed to restart strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan
Failed to restart strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# service strongswan start
Failed to start strongswan.service: Unit strongswan.service not found.
root@vm-fjqfnd2u:~# ^C
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
root@vm-fjqfnd2u:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-139-generic, x86_64):
  uptime: 10 seconds, since May 09 13:52:17 2025
  malloc: sbrk 2105344, mmap 0, used 1226144, free 879200
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  176.103.220.16
  2a10:fc81:9388:a08c::1
Connections:
site-to-site:  176.103.220.16...213.33.126.194  IKEv1, dpddelay=30s
site-to-site:   local:  [176.103.220.16] uses pre-shared key authentication
site-to-site:   remote: [213.33.126.194] uses pre-shared key authentication
site-to-site:   child:  192.168.150.0/24 === 192.168.160.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
site-to-site[1]: ESTABLISHED 10 seconds ago, 176.103.220.16[176.103.220.16]...213.33.126.194[213.33.126.194]
site-to-site[1]: IKEv1 SPIs: 26f57177203d9634_i* 10720151977037b9_r, pre-shared key reauthentication in 2 hours
site-to-site[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
root@vm-fjqfnd2u:~# ip route
default via 176.103.220.1 dev eth0 proto static
176.103.220.0/23 dev eth0 proto kernel scope link src 176.103.220.16
root@vm-fjqfnd2u:~# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root@vm-fjqfnd2u:~# nano /etc/ipsec.conf
root@vm-fjqfnd2u:~# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter
root@vm-fjqfnd2u:~# ip xfrm policy
src 192.168.150.0/24 dst 192.168.160.0/24
        dir out priority 375423
        tmpl src 176.103.220.16 dst 213.33.126.194
                proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
        dir fwd priority 375423
        tmpl src 213.33.126.194 dst 176.103.220.16
                proto esp reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
        dir in priority 375423
        tmpl src 213.33.126.194 dst 176.103.220.16
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# sudo systemctl restart strongswan-starter^C
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~#
root@vm-fjqfnd2u:~# ip xfrm policy
src 192.168.150.0/24 dst 192.168.160.0/24
        dir out priority 375423
        tmpl src 176.103.220.16 dst 213.33.126.194
                proto esp spi 0x86d8f2b3 reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
        dir fwd priority 375423
        tmpl src 213.33.126.194 dst 176.103.220.16
                proto esp reqid 1 mode tunnel
src 192.168.160.0/24 dst 192.168.150.0/24
        dir in priority 375423
        tmpl src 213.33.126.194 dst 176.103.220.16
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root@vm-fjqfnd2u:~#

Links

Homepage

MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Inhaltsverzeichnis

Beispiel

Mitschnitt

Links

Seiten-Werkzeuge