--- title: "Setting up site-to-site on Linux server" slug: "site-to-site-linux" updated: 2026-05-07T09:03:07Z published: 2026-05-07T09:03:07Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt > Use this file to discover all available pages before exploring further. # Setting up site-to-site on Linux server ## Prerequisites - **SECRET_KEY** - replace with your generated secret preshared key - **NordLayerIP** - replace with the IP of your NordLayer server with a dedicated IP - **YourIP** - replace with your public static IP - **LocalSubnet** - replace with the IP of your local subnet Note: Before setting up site-to-site, make sure you have all the dependencies on your Linux server. You can do that by running the following command: ``` sudo apt-get update && apt-get upgrade ``` Also, you will need to have the following packages: ``` sudo apt-get install strongswan libcharon-extra-plugins ``` For **Arch-based** **distributions** and others, you might not have libcharon packages, as they are in the strongswan package. You can simply run the following command and it will suffice: ``` pacman -S strongswan ``` ## Setting up Site-to-site client on Linux server ``` cat</etc/ipsec.secrets YourIP NordLayerIP : PSK "SECRET_KEY" EOF ``` ``` cat</etc/ipsec.conf config setup charondebug="all" uniqueids=yes strictcrlpolicy=no ``` ``` conn Nordlayer authby=secret left=YourIP leftsubnet=LocalSubnet right=NordLayerIP rightsubnet=10.6.0.0/20 ike=aes256-sha256-modp2048 esp=aes256-sha256-modp2048 keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start EOF ``` ## Add some iptable rules ``` /sbin/iptables -A INPUT -p esp -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -s 10.6.0.0/20 -o InternalInterface -j MASQUERADE /sbin/iptables net.ipv4.ip_forward = 1 ``` *InternalInterface should correspond to your main network adapter - usually eth0 ## Ending note: In order to finalize the site-to-site tunnel, please create a setup in [Sites tab of the NordLayer Control Panel](/v1/docs/site-to-site). - Pre-shared key - you can generate it or we can provide it - Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2) - Remote gateway/router public IP (must be reachable while connected to the server with a dedicated IP) - Remote subnet and mask (the subnet is used in your local network) **Note**: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).