Setting up site-to-site on Linux server

Prerequisites

• SECRET_KEY - replace with your generated secret preshared key
• NordLayerIP - replace with the IP of your NordLayer dedicated server
• YourIP - replace with your public static IP
• LocalSubnet - replace with the IP of your local subnet

sudo apt-get update && apt-get upgrade

sudo apt-get install strongswan libcharon-extra-plugins

pacman -S strongswan

Setting up Site-to-site client on Linux server

cat<<EOF>/etc/ipsec.secrets
YourIP NordLayerIP : PSK "SECRET_KEY"
EOF

cat<<EOF>/etc/ipsec.conf
config setup
  charondebug="all"
  uniqueids=yes
  strictcrlpolicy=no

conn Nordlayer
  authby=secret
  left=YourIP
  leftsubnet=LocalSubnet
  right=NordLayerIP
  rightsubnet=10.6.0.0/20
  ike=aes256-sha256-modp2048
  esp=aes256-sha256-modp2048
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start
EOF

Add some iptable rules

/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 10.6.0.0/20 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

• Pre-shared key - you can generate it or we can provide it
• Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are highly recommended (also must support IKEv2)
• Remote gateway/router public IP (must be reachable while connected to the dedicated server)
• Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.