Almost all the questions and tutorials talk about how to implement a IPSec VPN server and connect to them from various clients. But I couldn’t find any resources on implementing IPSec VPN between 2 servers.
So how to connect a server in DO with another server through IPSec VPN?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello,
Implementing an IPSec VPN between two servers involves several steps, which I will break down for you.
For the purpose of this guide, I’ll be using an example where we have two servers, both running Ubuntu 22.04:
- Server 1 (DigitalOcean, or DO): IP address - 203.0.113.1
- Server 2: IP address - 198.51.100.1
We’ll use libreswan, an implementation of one of the most widely supported and standardized VPN protocols, IPsec.
Step 1: Install libreswan on Both Servers
Run the following command on both Server 1 and Server 2:
- sudo apt-get update
- sudo apt-get install libreswan
Step 2: Configure the IPsec VPN on Server 1
Next, you need to configure the VPN on Server 1. Open /etc/ipsec.conf file:
sudo nano /etc/ipsec.conf
And append the following content at the end of the file:
conn server-to-server
left=203.0.113.1
leftid=@server1
leftrsasigkey=0s...
right=198.51.100.1
rightid=@server2
rightrsasigkey=0s...
authby=rsasig
auto=start
ikev2=insist
ike=aes256-sha2;modp1024!
phase2alg=aes256-sha2;modp1024
type=tunnel
pfs=yes
Replace 0s... for leftrsasigkey and rightrsasigkey with the actual RSA keys that you’ll generate in the next step.
Step 3: Configure the IPsec VPN on Server 2
Next, you need to configure the VPN on Server 2. Open /etc/ipsec.conf file:
- sudo nano /etc/ipsec.conf
And append the following content at the end of the file:
conn server-to-server
left=198.51.100.1
leftid=@server2
leftrsasigkey=0s...
right=203.0.113.1
rightid=@server1
rightrsasigkey=0s...
authby=rsasig
auto=start
ikev2=insist
ike=aes256-sha2;modp1024!
phase2alg=aes256-sha2;modp1024
type=tunnel
pfs=yes
Step 4: Generate RSA keys on Both Servers
On each server, generate RSA keys using the following command:
ipsec newhostkey --output /etc/ipsec.d/private/localhost.secrets --hostname @server1
This command will output an RSA key, and it will also place the key in the file /etc/ipsec.d/private/localhost.secrets. Use the --hostname flag to specify the unique ID of the server. Use @server1 for Server 1 and @server2 for Server 2.
Place the keys from Server 1 and Server 2 in their respective leftrsasigkey and rightrsasigkey fields in /etc/ipsec.conf on both servers.
Step 5: Restart IPsec Service on Both Servers
To apply changes, restart IPsec
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.