[[Include(WikiToC)]]
=== Persistent Site to Site VPN === #sitetosite

Each console, as well as the central firewall act as potential VPN endpoints. To establish a site to site vpn, usually you will need to choose a console as the end-point. This will provide L3 access to the control network for that domain. L3 access to data networks will require additional configuration.

The endpoints run [https://www.strongswan.org/ strongSwan VPN]  with the following configuration template (''please contact us for the needed "left" information in `<brackets>` below, as well as a pre-shared key; you will need to provide us with the "right" information in `<brackets>` below, as well as a phone number or other secure (non-email) way to send you the pre-shared key''):

{{{
conn %default
    auto=start
    type=tunnel
    keyexchange=ikev2
    mobike=yes
    fragmentation=yes
    installpolicy=yes

    ike=aes256-sha2_256-ecp384!
    esp=aes256-sha2_256-ecp384!

    dpddelay=10s
    dpdtimeout=60s
    dpdaction=restart

    authby=secret

    left=<console private IP>
    leftid=<console private IP>
    leftsubnet=<domain control network>

conn <yoursite>
    right=<your endpoint public static IP>
    rightid=<your endpoint public static IP or dns name>
    rightsubnet=<your private network to route>

}}}