How To Build A IPSEC VPN between A Debian Server And A Cisco Router

Article By: tapish01 Ranjan

BIP MD-KB Knowledge Base Community Author

ipsec vpn between A Debian Server And A Cisco Router

This tutorial will show you how to connect more then one VPS server and also one or more physical servers to a IPSEC VPN (Virtual Private Network).

There is a lot of instructions available on the web showing you how to build your own VPN on OpenSWAN, but it's marked as deprecated so the new recommended method is to use StrongSWAN instead. Using StrongSWAN has a slightly different configuration as describer below.


Let's assume, that you have a Cisco router at your office with a LAN (local area network) that has a rang of and with a IP address of on a external interface and a remote VPS with a IP address on interface You would also like to have secure access from to your local LAN and vice versa.

We can use shared key authentication, but you can also use authentication with certificates.

Debian Jessy strongswan configuration

apt-get install strongswan

Make configuration file /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

version 2
config setup

# Add connections here.
conn %default

conn JOB
	left=             #strongswan outside address
	leftid=             #IKEID sent by strongswan
	leftsubnet=      #network behind strongswan
	right=              #CISCO outside address
	rightsubnet= #network behind CISCO
	rightid=            #IKEID sent by IOS
	ike=aes256-sha1-modp1024   #P1: modp1024 = DH group 2
	esp=aes256-sha1            #P2

Next add to the configuration file /etc/ipsec.secrets your shared secret string. : PSK "some-text-like-long-long-password"

After changing the configuration we need to restart strongswan ipsec:

service ipsec restart

Cisco Router configuration for IPSEC

In this how to we will assume that you have already configured a worked Cisco router with IP address on external interface Gigabit Ethernet and on internal interface.

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key some-text-like-long-long-password address no-xauth
crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
crypto map SDM_CMAP_1 local-address GigabitEthernet0/0
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description IPSEC_to_VPS_server
 set peer
 set transform-set ESP-AES-256
 match address 101
interface GigabitEthernet0/0
 description WAN External Interface
 ip address
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
interface GigabitEthernet0/1
 description LAN internal interface
 ip address
 no ip unreachables
 ip nat inside
 ip virtual-reassembly in
ip access-list extended NAT
 deny   ip host
 permit ip any
access-list 101 permit ip host
route-map SDM_RMAP_1 permit 1
 match ip address NAT

Check If Everything Is Working Properly

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
         JOB[53]: ESTABLISHED 6 hours ago,[]...[]
         JOB{8}:  INSTALLED, TUNNEL, ESP SPIs: c977846e_i c87d8822_o
         JOB{8}: ===

[email protected]:~# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=255 time=51.9 ms
64 bytes from icmp_seq=2 ttl=255 time=52.2 ms
64 bytes from icmp_seq=3 ttl=255 time=51.7 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 51.773/51.968/52.209/0.259 ms

As you can see, It's all working and you how have a secured connection between your local lan and remote VPS.

If you have any questions simply add your comments below and I will be happy to answer them.

Tags: , , , , , , , ,

Welcome to the healthcare-only HIPAA - GDPR compliant cloud. Exclusively hosted on a HPC environment!

Learn more or start today by choosing your secure HIPAA - GDPR compliant server's Operating System bellow and pick the package that's best for you.

BIPmd makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine, thousand or more.

Windows VPS options and add ons
Linux VPS options and add ons


Looking for a custom solution?

Our technicians can provide you with the best custom-made solutionss on the market, no matter whether you're a small business or large enterprise.

Get in touch

Leave a Reply