StrongSwan VPN Verification Guide

This guide helps verify that an IPsec VPN tunnel using StrongSwan is properly established between the following machines provisioned via Terraform and configured with cloud-init:

• machine01 → IP: 10.1.1.10
• machine02 → IP: 10.2.2.10

The VPN uses IKEv2 and a Pre-Shared Key (PSK) to create a site-to-site tunnel automatically on boot.

---

1. Check the StrongSwan Service

SSH into both machines:

ssh -i ~/.ssh/id_rsa debian@<machine-public-ip>

Once logged in on each peer, run:

sudo ipsec statusall

You should see output like the following:

Status of IKE charon daemon (strongSwan 5.9.8, Linux ...):
  uptime: ...
  worker threads: ...
Connections:
     net-net:  10.1.1.10...10.2.2.10  IKEv2, dpddelay=30s
     net-net:   local:  [10.1.1.10] uses pre-shared key authentication
     net-net:   remote: [10.2.2.10] uses pre-shared key authentication
     net-net:   child:  10.1.1.0/24 === 10.2.2.0/24 TUNNEL
Security Associations (SAs) (0 up, 0 connecting):
  none

At this point, the configuration is loaded but the tunnel might not be up yet.

---

2. Bring Up and Verify the VPN Tunnel

If the VPN does not connect automatically, you can initiate it manually from either peer:

sudo ipsec up net-net

Then recheck the status:

sudo ipsec statusall

You should see something like:

Connections:
     net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...10.2.2.10
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ...
     net-net{1}:  10.1.1.0/24 === 10.2.2.0/24

✅ Look for the following:

• ESTABLISHED — the tunnel is active.
• Correct subnets in ===, e.g., 10.1.1.0/24 === 10.2.2.0/24.

---

🧪 3. Test Connectivity Through the VPN

Ping from one internal IP to the other (inside each VM):

# On machine01
ping 10.2.2.10

# On machine02
ping 10.1.1.10

Expect responses showing that packets are routed through the tunnel.

---

4. Optional: Check Routing Table

Although not strictly necessary, you can confirm local routing with:

ip route