In this tutorial we will setup a site-to-site IPSec VPN using
The Scenario:
Here we will be establishing an IPSec VPN Tunnel between two sites, a Data center in Site1 and a Data center in Site2, so that we can reach the internal ranges over the VPN tunnel.
In a Non-Nobus scenario, we could look at connecting two networks over the internet, a Office to Datacenter Connectivity between cities, like a Server Network in Lagos and a Office Network in Abuja.
Our Network Environment:
Allocation Pool : 172.16.1.100
Data center (Site1):
Private CIDR: 10.10.10.0/24
Host only: 10.10.10.2
NAT IP: 172.16.62.5
Data center (Site2):
Private CIDR:10.20.40.0/24
Host only: 10.20.40.2
NAT IP: 172.16.62.3
The Setup:
We will be using CentOS Linux distribution for our setup
run: # ifconfig ( for ip address look up )
# systemctl stop firewalld
# vim /etc/selinux/config
> SELINUX=permissive
# iptables -F
# iptables -X
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vi /etc/sysctl.conf
> net.ipv4.ip_forward = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
# sysctl -p
# systemctl restart network.service
Alternatively, you can generate and copy a preshared key using the openssl command below:
# openssl rand -base64 384
Edit the configuration:
# sudo vi /etc/ipsec.conf
conn yoursubnet
also=yourtunnel
rightsubnet=10.20.40.0/24
leftsubnet=10.10.10.0/24
auto=start
conn yourtunnel
type=tunnel
right=172.16.62.3
left=172.16.62.5
authby=secret
# sudo /etc/ipsec.secrets
> 172.16.62.5 172.16.62.3 : PSK "YourSecretValue"
# sudo systemctl restart ipsec.service# sudo systemctl status ipsec.service# /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig # netstat -tulpen
Repeat same process above for Site2. A tunnel should now be established and you should now be able to connect to the other private network over the established VPN tunnel.
As an alternative, you can specify seperate files for your site-to-site configuration.
Make sure to uncomment the include line as this will be the pointer of where our custom configuration will be picked up from:
# sudo vi /etc/ipsec.conf ( IPsec Configuration )
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
include /etc/ipsec.d/*.conf
Config: Site1 to Site2
Our first configuration will be on our Site1 instance:
# sudo vi /etc/ipsec.d/Site1-to-Site2.conf
Note: that left* will always be the side where you are logged on to
conn Site1-to-Site2
type=tunnel
authby=secret
left=%defaultroute
leftid=172.16.62.5
leftnexthop=%defaultroute
leftsubnet=10.10.10.0/24
right=172.16.62.3
rightsubnet=10.20.40.0/24
pfs=yes
auto=start
Create the secrets file:
# sudo vi /etc/ipsec.d/Site1-to-Site2.secrets
Supply your Left Public IP, Right Public IP, PSK, and your Secret:
172.16.62.5 172.16.62.3 : PSK "YourSecretValue"
Config: Site2 to Site1
Our second configuration will be on our Site2 instance:
# sudo vi /etc/ipsec.d/Data center2-to-Data center1.conf
conn Site2-to-Site1
type=tunnel
authby=secret
left=%defaultroute
leftid=172.16.62.3
leftnexthop=%defaultroute
leftsubnet=10.20.40.0/24
right=172.16.62.5
rightsubnet=10.10.10.0/24
pfs=yes
auto=start
Create the secrets file:
# sudo vi /etc/ipsec.d/Site2-to-Site1.secrets
Supply your Left Public IP, Right Public IP, PSK, and your Secret:
172.16.62.3 172.16.62.5: PSK "YourSecretValue"
Start the Services:
On both NAT instances, perform the following:
# sudo service ipsec restart
Set kernel parameters:
# sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Load the kernel parameters:
# sudo sysctl -p
Restart your network configuration:
# sudo service network restart
VPN Status Checks:
Check the service status for
# sudo ipsec verify
Check the status of the Service and VPN Tunnels:
# sudo service ipsec status
You should now be able to connect to the other private network over the established VPN tunnel.