Score:0

Strongswan IPSec Configuration on a VPS

aq flag

Please assist. I'm trying to set up a site to Site IPSec tunnel with strongswan on my VPS but sadly my provider cannot enable the following kernel modules for me:

ah4 ah6 esp4 esp6 xfrm4_tunnel xfrm6_tunnel xfrm_user ip_tunnel tunnel tunnel6 xfrm4_mode_tunnel xfrm6_mode_tunnel

Is there a way to configure strongswan or any other platform in an alternative manner that doesn't rely on enabling additional kernel modules on typical VPS configs before I shift to a dedicated server which I cannot afford for my startup?

Score:1
cn flag

You cold try strongSwan's user mode IPsec implementation libipsec via the kernel-libipsec plugin. It does require TUN devices, so if that's not possible on your VPS, you're out of luck. And it also has some performance limitations (read the notes on the linked page).

aq flag
Yes, this is what I was looking for. Though setting it up hasn't been easy, I'm a novice. Thank you for this assist, it got me connected, albeit I'm failing to ping the subnet machine on the other end of my tunnel. Maybe I'm doing that wrong, I don't know. I'm using **ping -I <my interface name> <subnet IP>** and this gives me 100% packets lost.
Ginnungagap avatar
gu flag
You shouldn't need to ping using a specific interface for this to work. If the IPsec tunnel can be established, it's likely a configuration issue somewhere in the swanctl configuration but this no longer has anything to do with this issue and should be asked as a separate question after existing questions have been looked at. This will make it easier for you to get clearer answers and for others to find answers to similar issues
aq flag
Noted, and thank you.
Score:0
gu flag

No, most IPsec VPNs will require those modules simply because IPsec is actually handled by the kernel and not by the software which mostly handles keying.

Alternatives would be to use a full user mode reimplementation of IPsec (I only know of test implementations, nothing production grade but feel free to look around) or an alternative full user mode VPN (ie. OpenVPN).

Orherwise it might be worth checking if your VPS provider supports the required kernel modules for Wireguard (I expect not).

Finally, dedicated servers aren't necessarily that much more expensive, I'm looking at <5$/month, though they have little to no SLAs for that price.

aq flag
Thank you, please share the services that are providing dedicated servers at those prices. My startup really needs all I can save right now.
Ginnungagap avatar
gu flag
Product recommendations are off-topic for SF and I believe @ecdsa's answer is a better fit for you anyway so go with it!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.