0

Please assist. I'm trying to set up a site to Site IPSec tunnel with strongswan on my VPS but sadly my provider cannot enable the following kernel modules for me:

ah4 ah6 esp4 esp6 xfrm4_tunnel xfrm6_tunnel xfrm_user ip_tunnel tunnel tunnel6 xfrm4_mode_tunnel xfrm6_mode_tunnel

Is there a way to configure strongswan or any other platform in an alternative manner that doesn't rely on enabling additional kernel modules on typical VPS configs before I shift to a dedicated server which I cannot afford for my startup?

user8385240
  • 3
  • 1

2 Answers2

1

You cold try strongSwan's user mode IPsec implementation libipsec via the kernel-libipsec plugin. It does require TUN devices, so if that's not possible on your VPS, you're out of luck. And it also has some performance limitations (read the notes on the linked page).

ecdsa
  • 3,973
  • 15
  • 29
  • Yes, this is what I was looking for. Though setting it up hasn't been easy, I'm a novice. Thank you for this assist, it got me connected, albeit I'm failing to ping the subnet machine on the other end of my tunnel. Maybe I'm doing that wrong, I don't know. I'm using **ping -I ** and this gives me 100% packets lost. – user8385240 Oct 21 '21 at 17:06
  • You shouldn't need to ping using a specific interface for this to work. If the IPsec tunnel can be established, it's likely a configuration issue somewhere in the swanctl configuration but this no longer has anything to do with this issue and should be asked as a separate question after existing questions have been looked at. This will make it easier for you to get clearer answers and for others to find answers to similar issues – Ginnungagap Oct 21 '21 at 22:06
  • Noted, and thank you. – user8385240 Oct 23 '21 at 04:49
0

No, most IPsec VPNs will require those modules simply because IPsec is actually handled by the kernel and not by the software which mostly handles keying.

Alternatives would be to use a full user mode reimplementation of IPsec (I only know of test implementations, nothing production grade but feel free to look around) or an alternative full user mode VPN (ie. OpenVPN).

Orherwise it might be worth checking if your VPS provider supports the required kernel modules for Wireguard (I expect not).

Finally, dedicated servers aren't necessarily that much more expensive, I'm looking at <5$/month, though they have little to no SLAs for that price.

Ginnungagap
  • 2,595
  • 10
  • 13
  • Thank you, please share the services that are providing dedicated servers at those prices. My startup really needs all I can save right now. – user8385240 Oct 21 '21 at 17:12
  • Product recommendations are off-topic for SF and I believe @ecdsa's answer is a better fit for you anyway so go with it! – Ginnungagap Oct 21 '21 at 22:08