# StrongSwan VPN Verification Guide This guide helps verify that an IPsec VPN tunnel using StrongSwan is properly established between the following machines provisioned via Terraform and configured with cloud-init: - `machine01` โ†’ IP: `10.1.1.10` - `machine02` โ†’ IP: `10.2.2.10` The VPN uses IKEv2 and a Pre-Shared Key (PSK) to create a site-to-site tunnel automatically on boot. --- ## 1. Check the StrongSwan Service SSH into both machines: ```sh ssh -i ~/.ssh/id_rsa debian@ ``` Once logged in on each peer, run: ```sh sudo ipsec statusall ``` You should see output like the following: ``` Status of IKE charon daemon (strongSwan 5.9.8, Linux ...): uptime: ... worker threads: ... Connections: net-net: 10.1.1.10...10.2.2.10 IKEv2, dpddelay=30s net-net: local: [10.1.1.10] uses pre-shared key authentication net-net: remote: [10.2.2.10] uses pre-shared key authentication net-net: child: 10.1.1.0/24 === 10.2.2.0/24 TUNNEL Security Associations (SAs) (0 up, 0 connecting): none ``` At this point, the configuration is loaded but the tunnel might not be up yet. --- ## 2. Bring Up and Verify the VPN Tunnel If the VPN does not connect automatically, you can initiate it manually from either peer: ```sh sudo ipsec up net-net ``` Then recheck the status: ```sh sudo ipsec statusall ``` You should see something like: ``` Connections: net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...10.2.2.10 net-net{1}: INSTALLED, TUNNEL, ESP SPIs: ... net-net{1}: 10.1.1.0/24 === 10.2.2.0/24 ``` โœ… Look for the following: - `ESTABLISHED` โ€” the tunnel is active. - Correct subnets in `===`, e.g., `10.1.1.0/24 === 10.2.2.0/24`. --- ## ๐Ÿงช 3. Test Connectivity Through the VPN Ping from one internal IP to the other (inside each VM): ```sh # On machine01 ping 10.2.2.10 # On machine02 ping 10.1.1.10 ``` Expect responses showing that packets are routed through the tunnel. --- ## 4. Optional: Check Routing Table Although not strictly necessary, you can confirm local routing with: ```sh ip route ```