Site to Site IPsec with VPC VPNaaS


This article will walk you through the process of connecting on on-prem IPsec tunnel to the IBM Cloud VPC VPN as a service offering. This will allow you to communicate from your local machine to the private IP addresses assigned to your VPC compute instances. In this guide you will walk through the following steps:

  • Provisioning an instance of VPC VPN as a Service

  • Adding a Peer connection to VPC VPN to connect to your local network

  • Install strongSwan on a local machine/VM

  • Configuring the local IPsec peer

  • Bringing up the local IPsec tunnel and pinging VPC resources

Provision and configure the VPC VPNaaS

We’ll start by deploying an instance of VPNaaS. From the main VPC landing page click on VPN Gateways on the left hand navigation bar:

Go to VPN Overview page

Make sure you select the region where your VPC resides and then click Create VPN.

Create VPN Step 1

At the top of the screen give the VPN a name, select the VPC where you would like the VPN deployed, and then select the subnet to use with the VPN. Note: Only the resources in the same zone as the subnet you choose can connect through this VPN gateway.

Create VPN Step 2

With the subnet selected scroll down and make sure the New VPN Connection for VPC option is enabled. Give the new connection a name and provide the local and peer subnets along with the pre-shared key.

Note: If you need to generate a pre-shared key, launch Cloud Shell by clicking the terminal icon in the upper right of the IBM Cloud portal. Launch Cloud Shell​

Once your Cloud Shell session starts run the following command to generate a 32 character pre-shared key

tr -dc "[:alpha:][:alnum:]" < /dev/urandom | head -c 32

In this example my VPC utilizes the subnet and my local network uses 172.16 IPs. The Peer gateway address is the public IP on your local network. If you are unsure of what this is pull up a browser and head to IP Chicken. Add connection information​

With all the details added click Create VPN Gateway in the right hand navigation bar to deploy the VPN. We'll give the new VPN a few moments to deploy and then copy down the Peer address that we'll need for the local tunnel configuration.

Copy down VPN Peer Address

Install strongSwan on local machine

In my example I have a local Ubuntu 18 VM that I will be using as the local IPsec peer. The first step is to install strongSwan.

$ apt-get update && apt-get install strongswan -y

With strongSwan installed we need to add IP forwarding to our kernel parameters:

$ sudo cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
$ sysctl -p /etc/sysctl.conf

Configure local ipsec peer

Next we'll update the /etc/ipsec.secrets file. The syntax for the file is:


For example if your local public IP was, the VPC VPN Peer address was, and the pre-shared key was XtemrMYFfmmMCpxgdCwSYoRBKdjQ1ndb the file would look like this: : PSK "XtemrMYFfmmMCpxgdCwSYoRBKdjQ1ndb"

With the secrets file updated we'll now move on to updating the strongSwan configuration file:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# connection to us-east-vpc
conn home-to-vpc
leftid=<Local Server Public IP>
leftsubnet=<Local Internal Subnet range>
right=<VPC VPN Endpoint IP>
rightsubnet=<VPC Subnet range>,,

We add in the ranges and so that we can communicate with IBM Cloud services over their private IP address space.

With the ipsec configuration updated, add an iptables rule for post-routing. Again for my tunnel the VPC Subnet is and my local internal subnet is so adjust the following command to meet your needs.

$ iptables -t nat -A POSTROUTING -s -d -J MASQUERADE

Now restart the ipsec service and check the status of the tunnel:

$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.6.2 IPsec [starter]...
$ sudo ipsec status
Security Associations (1 up, 0 connecting):
home-to-vpc[1]: ESTABLISHED 16 seconds ago,[x.x.x.x]...52.y.y.y[52.y.y.y]
home-to-vpc{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2225f47_i ccc3d826_o
home-to-vpc{1}: ===

Test connectivity to VPC instance

In my VPC I have an instance with a private IP of

$ ibmcloud is instances --output json | jq -r '.[] | select("us-south-vpc-rt") | .network_interfaces[].primary_ipv4_address'
$ ping -c2 -q
PING ( 56(84) bytes of data.
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 40.836/41.497/42.159/0.692 ms