How to Setup IPSec Between 3 Linux Servers?

adil
3 min readJan 23, 2024

You can see many articles on the Internet on how to establish an IPsec connection between two Linux servers.

But what if you have three or more servers, and they need to be connected to each other?

Photo by Nick Fewings on Unsplash

Things get a little (not much) complicated when you want to connect three or more servers via IPSec.

I will use strongSwan to establish the connection between servers.

Let’s observe the installation.

I have 3 servers; one in New York, one in London, and one in Frankfurt.

You must select a server as the main gateway. I will use the London server as the main gateway. Because it is physically located in the middle of both countries.

London:
Public IP Address: 209.97.180.147
Private IP Address: 10.0.10.0

New York:
Public IP Address: 68.183.152.162
Private IP Address: 10.0.20.0

Frankfurt:
Public IP Address: 64.226.108.111
Private IP Address: 10.0.30.0

I will enable IP forwarding on the London server by running this command:

sysctl -w net.ipv4.ip_forward=1

I will install strongSwan on all servers:

apt install strongswan

I will configure strongSwan on the New York Server

Open /etc/ipsec.conf and add the following configuration to the file:

config setup
uniqueids = yes
conn newyork-london
type=tunnel
auto=start
authby=secret
leftsubnet=10.0.20.0/24
left=68.183.152.162
right=209.97.180.147
rightsubnet=10.0.10.0/24,10.0.30.0/24

In the rightsubnet , you need to specify which subnets you want to connect to from the New York server. I want the New York server to connect to the London and Frankfurt servers. I added the private IP addresses of these two servers’ to rightsubnet .

Add a secret key to the /etc/ipsec.secrets file

68.183.152.162 : PSK "add_some_longer_stuff_here"

The secret key must be the same on all servers but must have the Public IP address of the relevant server.

The configuration on the New York server is complete.

Follow the same steps for the Frankfurt server.

Configuration of the gateway server (London)

I will need to add a config block for each connection step to the /etc/ipsec.conf:

config setup
uniqueids = yes
conn london-frankfurt
type=tunnel
auto=start
authby=secret
leftsubnet=10.0.10.0/24,10.0.20.0/24
left=209.97.180.147
right=64.226.108.111
rightsubnet=10.0.30.0/24
conn london-newyork
type=tunnel
auto=start
authby=secret
leftsubnet=10.0.10.0/24,10.0.30.0/24
left=209.97.180.147
right=68.183.152.162
rightsubnet=10.0.20.0/24

Basically, the leftsubnet indicates which source IP range will be used for that connection block.

For example, in the london-frankfurt connection block, an IPSec connection will be established between London and Frankfurt. So when a network package reaches the London server, strongSwan will check the source IP address.

If the source IP address is 10.0.10.0/24 (London) or 10.0.20.0/24 (New York), traffic will be routed to the rightsubnet, which is 10.0.30.0/24 (Frankfurt)

If the source IP address is 10.0.10.0/24 (London) or 10.0.30.0/24 (Frankfurt), the traffic will be routed to the rightsubnet, which is 10.0.20.0/24 (New York)

Restart strongSwan on all servers and test the connection.

service strongswan-starter restart

The gateway server (London) can reach anywhere:

One of the client servers (New York) can reach all hosts:

Same for the Frankfurt server:

Please pay attention to RTT times.

Here is the screenshot covering all configurations:

--

--