How to Secure Your Debian Server with IPsec on Debian 12 Bookworm System

This article provides a step-by-step guide on how to secure your Debian 12 (Bookworm) server using IPsec.

by İbrahim Korucuoğlu ( @siberoloji) | Monday, April 07, 2025

Categories:

Linux

5 minute read

Securing data in transit is a vital part of server hardening and overall cybersecurity. When it comes to protecting your Debian server, one of the most powerful tools available is IPsec (Internet Protocol Security). It provides secure communication over IP networks by authenticating and encrypting each IP packet in a communication session.

In this article, we’ll explore how to set up IPsec on Debian 12 (Bookworm) using strongSwan, a popular open-source IPsec-based VPN solution. This guide will walk you through the essential concepts, the installation process, and configuration best practices for securing your server traffic using IPsec.

1. Introduction to IPsec

IPsec is a suite of protocols that authenticate and encrypt IP packets. It is used in both transport mode and tunnel mode, depending on whether you’re securing individual IP packets or tunneling entire communications between hosts or gateways.

Key components of IPsec include:

Authentication Header (AH) – Ensures data origin authenticity and integrity.
Encapsulating Security Payload (ESP) – Provides encryption and integrity protection.
Internet Key Exchange (IKEv1/IKEv2) – Establishes and manages security associations (SAs) for IPsec.

2. Why Use IPsec on Debian 12?

Debian 12 (Bookworm) is a stable and widely-used server OS, ideal for running secure web servers, mail servers, and databases. Using IPsec on your Debian 12 system offers:

Secure communications between your server and clients or other servers.
Protection against man-in-the-middle (MITM) attacks by encrypting IP packets.
Compatibility with other IPsec clients, including Windows, macOS, Android, and Linux.

Whether you’re managing a single VPS or multiple datacenter nodes, adding IPsec strengthens your network perimeter.

3. IPsec Modes and Protocols

Before diving into the setup, let’s understand the modes of IPsec:

Transport Mode – Encrypts only the payload of IP packets. Typically used for end-to-end communication between two hosts.
Tunnel Mode – Encrypts the entire IP packet and encapsulates it in a new packet. Ideal for site-to-site VPNs or server-client tunnels.

We’ll focus on tunnel mode for this setup, as it’s the most common and effective for server security.

4. Installing IPsec (strongSwan) on Debian 12

Debian 12 Bookworm includes strongSwan in its official repositories. Follow these steps to install:

Step 1: Update Your System

sudo apt update && sudo apt upgrade -y

Step 2: Install strongSwan

sudo apt install strongswan strongswan-pki libcharon-extra-plugins -y

This installs:

strongswan: Core daemon
strongswan-pki: For certificate management
libcharon-extra-plugins: Adds support for additional authentication and tunneling mechanisms

5. Basic IPsec Configuration on Debian Server

Step 1: Generate Certificates (Optional but Recommended)

Although pre-shared keys (PSKs) can be used, certificates are more secure.

mkdir -p ~/ipsec-certs
cd ~/ipsec-certs

# Create a CA
ipsec pki --gen --type rsa --size 4096 --outform pem > ca.key.pem
ipsec pki --self --ca --lifetime 3650 --in ca.key.pem --type rsa \
  --dn "CN=MyVPN Root CA" --outform pem > ca.cert.pem

# Create server certificate
ipsec pki --gen --type rsa --size 4096 --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --type rsa | \
  ipsec pki --issue --lifetime 1825 \
  --cacert ca.cert.pem --cakey ca.key.pem \
  --dn "CN=server.example.com" --san "server.example.com" \
  --flag serverAuth --outform pem > server.cert.pem

Then move the keys and certificates into the appropriate strongSwan directories:

sudo cp ca.cert.pem /etc/ipsec.d/cacerts/
sudo cp server.cert.pem /etc/ipsec.d/certs/
sudo cp server.key.pem /etc/ipsec.d/private/

Step 2: Configure `/etc/ipsec.conf`

sudo nano /etc/ipsec.conf

Sample configuration:

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2"

conn %default
    keyexchange=ikev2
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn myvpn
    left=%any
    leftid=@server.example.com
    leftcert=server.cert.pem
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8
    rightsourceip=10.10.10.0/24
    eap_identity=%identity
    auto=add

Step 3: Configure Authentication in `/etc/ipsec.secrets`

sudo nano /etc/ipsec.secrets

Add user credentials:

: RSA server.key.pem
testuser : EAP "StrongPassword123"

6. Configuring IPsec on a Client (Linux)

You can use strongSwan on the client as well. Install it the same way, then configure /etc/ipsec.conf:

conn myvpn
    keyexchange=ikev2
    auto=start
    right=server.example.com
    rightid=@server.example.com
    rightsubnet=0.0.0.0/0
    leftsourceip=%config
    eap_identity=testuser
    leftauth=eap-mschapv2

And add your credentials to /etc/ipsec.secrets:

testuser : EAP "StrongPassword123"

Start the IPsec service:

sudo systemctl restart strongswan

7. Testing the IPsec Tunnel

To check if your tunnel is established correctly, use:

sudo ipsec statusall

Look for INSTALLED under your connection profile.

To check logs for errors:

sudo journalctl -u strongswan

You should also be able to ping the server’s VPN-assigned IP address (e.g., 10.10.10.1).

8. Security Best Practices

Use strong encryption: Stick with aes256 and sha256 for both IKE and ESP.
Use certificates instead of PSK when possible.
Firewall rules: Allow only necessary ports (UDP 500 and 4500) for IPsec.
Disable unused plugins: Remove unnecessary strongSwan plugins to minimize attack surface.
Regularly rotate credentials: Especially for EAP or PSK-based setups.
Enable logging for audit purposes.

Example firewall configuration using ufw:

sudo ufw allow 500,4500/udp

9. Troubleshooting Tips

Tunnel not coming up? Ensure correct time synchronization (install ntp).
Connection issues? Verify your DNS and firewall settings.
Error messages? Look into /var/log/syslog or run journalctl -xe.
Client fails to authenticate? Double-check secrets format and credentials.
Connectivity problems post-connection? Check route table and IP forwarding.

Enable IP forwarding if not already:

sudo sysctl -w net.ipv4.ip_forward=1

Persist it by editing /etc/sysctl.conf:

net.ipv4.ip_forward = 1

10. Conclusion

Implementing IPsec on your Debian 12 (Bookworm) system significantly enhances your server’s security posture, especially when data needs to travel over untrusted networks. With strongSwan, setting up and managing IPsec tunnels becomes straightforward while offering enterprise-grade protection.

Although IPsec setup may appear complex at first, understanding its structure and following a methodical approach ensures a secure, reliable, and scalable solution. Whether you’re aiming to secure remote access to internal resources or interconnect multiple servers securely, IPsec is a robust choice that integrates seamlessly with the Debian ecosystem.

Keep your configurations updated, monitor your logs regularly, and follow best practices to maintain a resilient, encrypted network environment.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< How to Use Puppet or Ansible for Automation in Debian 12 Bookworm How to Set Up a Personal Cloud Server Using Nextcloud on Debian 12 Bookworm >