Host-to-Host VPN - strongSwan

In this scenario two individual hosts establish an IPsec connection directly between themselves. There are no subnets to protect — only traffic between the two endpoints is encrypted.

Network topology

| 192.168.0.1 | === | 192.168.0.2 |
     moon                sun

Both hosts authenticate each other with X.509 certificates issued by a shared CA.

IPsec transport mode is the natural fit for host-to-host connections because there is no inner subnet to encapsulate. However, this configuration uses the default tunnel mode, which also works correctly and is simpler to extend later if subnets are added.

Certificate files

Place the following files on each host:

moon
sun

/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/private/moonKey.pem

/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/sunCert.pem
/etc/swanctl/private/sunKey.pem

Configuration

moon (192.168.0.1)
sun (192.168.0.2)

# /etc/swanctl/swanctl.conf

connections {
    host-host {
        remote_addrs = 192.168.0.2

        local {
            auth = pubkey
            certs = moonCert.pem
        }
        remote {
            auth = pubkey
            id = "C=CH, O=strongSwan, CN=sun.strongswan.org"
        }
        children {
            net-net {
                start_action = trap
            }
        }
    }
}

# /etc/swanctl/swanctl.conf

connections {
    host-host {
        remote_addrs = 192.168.0.1

        local {
            auth = pubkey
            certs = sunCert.pem
        }
        remote {
            auth = pubkey
            id = "C=CH, O=strongSwan, CN=moon.strongswan.org"
        }
        children {
            host-host {
                start_action = trap
            }
        }
    }
}

Because no local_ts or remote_ts are specified in the children block, the traffic selectors default to the host addresses themselves (192.168.0.1/32 and 192.168.0.2/32), which is correct for a host-to-host setup.

Loading configuration and verifying the connection

Load credentials

Load certificates and private keys into the charon daemon on both hosts:

swanctl --load-creds

Load connections

Apply the connection definitions:

swanctl --load-conns

Trigger and verify

The tunnel is established automatically when traffic between the two hosts is detected (start_action = trap). Check active security associations:

swanctl --list-sas

To trigger the tunnel immediately without waiting for matching traffic, initiate it manually:

swanctl --initiate --child net-net

Documentation Index

​Network topology

​Certificate files

​Configuration

​Loading configuration and verifying the connection

Network topology

Certificate files

Configuration

Loading configuration and verifying the connection