| .forgejo/workflows | ||
| .gitignore | ||
| .terraform.lock.hcl | ||
| 00-provider.tf | ||
| 01-variables.tf | ||
| 02-main.tf | ||
| cloud-init.yaml | ||
| README.md | ||
StrongSwan VPN Verification Guide
This guide helps verify that an IPsec VPN tunnel using StrongSwan is properly established between the following machines provisioned via Terraform and configured with cloud-init:
- machine01→ IP:- 10.1.1.10
- machine02→ IP:- 10.2.2.10
The VPN uses IKEv2 and a Pre-Shared Key (PSK) to create a site-to-site tunnel automatically on boot.
1. Check the StrongSwan Service
SSH into both machines:
ssh -i ~/.ssh/id_rsa debian@<machine-public-ip>
Once logged in on each peer, run:
sudo ipsec statusall
You should see output like the following:
Status of IKE charon daemon (strongSwan 5.9.8, Linux ...):
  uptime: ...
  worker threads: ...
Connections:
     net-net:  10.1.1.10...10.2.2.10  IKEv2, dpddelay=30s
     net-net:   local:  [10.1.1.10] uses pre-shared key authentication
     net-net:   remote: [10.2.2.10] uses pre-shared key authentication
     net-net:   child:  10.1.1.0/24 === 10.2.2.0/24 TUNNEL
Security Associations (SAs) (0 up, 0 connecting):
  none
At this point, the configuration is loaded but the tunnel might not be up yet.
2. Bring Up and Verify the VPN Tunnel
If the VPN does not connect automatically, you can initiate it manually from either peer:
sudo ipsec up net-net
Then recheck the status:
sudo ipsec statusall
You should see something like:
Connections:
     net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...10.2.2.10
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ...
     net-net{1}:  10.1.1.0/24 === 10.2.2.0/24
Look for the following:
- ESTABLISHED— the tunnel is active.
- Correct subnets in ===, e.g.,10.1.1.0/24 === 10.2.2.0/24.
3. Test Connectivity Through the VPN
Ping from one internal IP to the other (inside each VM):
# On machine01
ping 10.2.2.10
# On machine02
ping 10.1.1.10
Expect responses showing that packets are routed through the tunnel.
4. Optional: Check Routing Table
Although not strictly necessary, you can confirm local routing with:
ip route