professional-service-best-practices/terraform-strongswan-deployment
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
terraform-strongswan-deploy.../README.md
Mauritz Uphoff 9007bbcc08
All checks were successful
CI / TruffleHog Secrets Scan (push) Successful in 5s
Details
CI / Terraform Format & Validate (push) Successful in 6s
Details
update code
2025-07-04 11:03:18 +02:00

97 lines
No EOL
2 KiB
Markdown
Raw Blame History

# StrongSwan VPN Verification Guide
This guide helps verify that an IPsec VPN tunnel using StrongSwan is properly established between the following machines
provisioned via Terraform and configured with cloud-init:
- `machine01` โ†’ IP: `10.1.1.10`
- `machine02` โ†’ IP: `10.2.2.10`
The VPN uses IKEv2 and a Pre-Shared Key (PSK) to create a site-to-site tunnel automatically on boot.
---
## 1. Check the StrongSwan Service
SSH into both machines:
```sh
ssh -i ~/.ssh/id_rsa debian@<machine-public-ip>
```
Once logged in on each peer, run:
```sh
sudo ipsec statusall
```
You should see output like the following:
```
Status of IKE charon daemon (strongSwan 5.9.8, Linux ...):
uptime: ...
worker threads: ...
Connections:
net-net: 10.1.1.10...10.2.2.10 IKEv2, dpddelay=30s
net-net: local: [10.1.1.10] uses pre-shared key authentication
net-net: remote: [10.2.2.10] uses pre-shared key authentication
net-net: child: 10.1.1.0/24 === 10.2.2.0/24 TUNNEL
Security Associations (SAs) (0 up, 0 connecting):
none
```
At this point, the configuration is loaded but the tunnel might not be up yet.
---
## 2. Bring Up and Verify the VPN Tunnel
If the VPN does not connect automatically, you can initiate it manually from either peer:
```sh
sudo ipsec up net-net
```
Then recheck the status:
```sh
sudo ipsec statusall
```
You should see something like:
```
Connections:
net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...10.2.2.10
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: ...
net-net{1}: 10.1.1.0/24 === 10.2.2.0/24
```
โœ… Look for the following:
- `ESTABLISHED` โ€” the tunnel is active.
- Correct subnets in `===`, e.g., `10.1.1.0/24 === 10.2.2.0/24`.
---
## ๐Ÿงช 3. Test Connectivity Through the VPN
Ping from one internal IP to the other (inside each VM):
```sh
# On machine01
ping 10.2.2.10
# On machine02
ping 10.1.1.10
```
Expect responses showing that packets are routed through the tunnel.
---
## 4. Optional: Check Routing Table
Although not strictly necessary, you can confirm local routing with:
```sh
ip route
```
Reference in a new issue View git blame Copy permalink