I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

The remote side sent me the following IPsec parameters and I need to configure an IPsec tunnel on a dedicated server hosted at Hetzner.

The host is running Ubuntu Server 22.04 LTS and I’m planning to use strongSwan.

One important detail: the server’s public IP is configured directly on the Ubuntu host interface.

Remote side configuration

General

• Tunnel mode: Tunnel
• Peer IP Address Their Public IP
• Peer is behind NAT: Yes
• Peer ID: 10.12.26.11
• Encryption domain: 10.100.51.0/24

Phase 1 (IKE)

• Authentication: PSK
• IKE version: IKEv2
• DH Group: Group 14
• Encryption: AES-CBC-256
• Hash: SHA256
• Lifetime: 86400

Phase 2 (ESP)

• Encapsulation: ESP
• Encryption: AES-256
• Integrity: SHA256
• PFS: Group 14
• Lifetime: 28800

I need to send my sides configurations as well.

I have limited experience with IPsec, so I have a few questions:

1. From this information alone, can I determine whether this is supposed to be a policy-based VPN or a route-based VPN?
2. Since my Ubuntu server has the public IP directly assigned to its interface and there are no devices behind it:
   • what should I use for:
     • Peer ID
     • Encryption domain
     • NAT-related settings on my side?
3. This is a production server and only a few services should use the IPsec tunnel. Those services only need to make API requests to 3 specific external URLs, so only their traffic should go over IPsec. Everything else on the server must continue using the normal default gateway.

What is the correct/recommended way to achieve this with strongSwan?

Any guidance would be greatly appreciated.

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?

I'm looking for a definitive, practical, and structured guide for learning and configuring IPsec. Not just random vendor docs or copy-paste configs, but something that teaches:

* Tunnel mode vs Transport mode

* IKEv1 vs IKEv2

* Phase 1 / Phase 2

* route-based vs policy-based VPNs

* troubleshooting

* interoperability between vendors

* real-world deployment practices

Could be:

* a book (not some huge book though)

* a course

* documentation

* CCNP/JNCIS material

* strongSwan/pfSense/Fortinet/Cisco focused

* even specific chapters from larger networking books

What would you recommend?