[[Include(WikiToC)]]
=== Persistent Site to Site VPN === #sitetosite

Each console, as well as the central firewall act as potential VPN endpoints. To establish a site to site vpn, usually you will need to choose a console as the end-point. This will provide L3 access to the control network for that domain. L3 access to data networks will require additional configuration.

The endpoints run stronswan with the following configuration template. 

We will provide the needed "left" information in `<brackets>` below, as well as a pre-shared key.

You will need to provide us with the "right" information in `<brackets>` below, as well as a phone number or other secure (non-email) way to send you the pre-shared key.

{{{
conn %default
    auto=start
    type=tunnel
    keyexchange=ikev2
    mobike=yes
    fragmentation=yes
    installpolicy=yes

    ike=aes256-sha2_256-ecp384!
    esp=aes256-sha2_256-ecp384!

    dpddelay=10s
    dpdtimeout=60s
    dpdaction=restart

    authby=secret

    left=<console private IP>
    leftid=<console private IP>
    leftsubnet=<domain control network>

conn <yoursite>
    right=<your endpoint public static IP>
    rightid=<your endpoint public static IP or dns name>
    rightsubnet=<your private network to route>

}}}