:::: MENU ::::

How to setup an IPSec tunnel with Strongswan with high-availability on Linux

  • Feb 27 / 2015
  • 0

How to setup an IPSec tunnel with Strongswan with high-availability on Linux

It is possible to secure your communication between several sites (datacenters for example) by using an open-source VPN IPSec on your Linux System. We will see here how to:

  1. Set-up a VPN IPSec on Linux with Strongswan (https://www.strongswan.org)
  2. Set-up a high availability mechanism on top of this VPN connection to ensure the link will always be up with KeepAlived (http://www.keepalived.org/)


Here is the architecture example I will use in this post.

  • – – – represents a local link
  • === represents a VPN link

VPN Installation

First of all, install the package strongswan using the package manager you used to, or by compiling it from sources. In the same time, install the keepalived package to be able to set it highly available at the end of this post.

This will install the packages and the libraries needed to make them work.


First thing to do will be to generate certificates used for the encryption of communication within the VPN. This can be done in two ways:

CA Certificate

Once the packages are properly installed, we will have to create the different certificates that we will use to encrypt our connection between peers. For the example we will be using self-signed certificate here. The first certificate to generate wil be the CA certificate with which one we will sign any certificate we want to use in the VPN network.

Generate a 2048 bit RSA private key (caKey.der) for the CA certificate (caCert.der) and self-sign it with this key:

End Entity Certificate

For each peer (i.e. each gateway), a private key (peerKey.der) and a certificate (peerCert.der) will have to be generated using the CA previously created:

Install certificates

On each peer, store the following certficates and private keys in /etc/ipsec.d/ subdirectory as:

  • /etc/ipsec.d/private/peerKey.der for the private key of the peer
  • /etc/ipsec.d/certs/peerCert.der for the certificate of the peer
  • /etc/ipsec.d/cacerts/caCert.der for the CA certificate that signed the certificates

The CA private key (caKey.der) should never be stored on a server directly reachable from the Internet and be kept safe.

IPSec configuration

To configure IPSec, you will have to configure two files:

  • /etc/ipsec.conf for the configuration of your tunnels
  • /etc/ipsec.secrets for the configuration of your keys and/or PSK (pre-shared keys)

If you use certificate for your connection, here is what your configuration should look like:

If instead of using certificates you prefered to use Pre-Shared Key (as you will have to if you want to connect to AWS VPN Services), here are how should be configured both files:

IPsec commands and monitoring

First of all, each time you are changing part of the configuration, it’s strongly advised to reload configuration by doing:

Once this done, you can easily up/down a configuration by using:

A last command very useful is “statusall” that allows you to check and monitor VPN links:

High availability configuration

So that your VPN can be highly available, you will need to configure keepalived that you just installed at the beginning. You will have to configure it on both sides by using a virtual IP and a script to automate the restart on both nodes depending on the state of the cluster (option “notify”).

Here is the configuration for the master server:

The configuration for the slave (backup) server is almost similar but state and priority are changing:

And here is the script notifyipsec.sh for the “notify” option:

Now you can restart both services and your IPSec VPN inter-site is ready with a high-availability mechanism enabled!!

Obviously, you will have to do the same on the other node if you want your VPN to work properly, by reversing configuration.

Comments are closed.

Question ? Contact