The STACKIT VPN appliance is a Linux-based IPsec (strongSwan) appliance designed to simplify site-to-site VPN connections to a VPC tenant. The appliance is a self-managed solution that has to be operated by the customer.

The appliance is authenticated via web (https) using a local single user login.


The appliance offers several modules, a server and a client module.

These can be used to map the following two scenarios:

  • Road Warrior client to site connections
  • Site to site connections

VPN Connection Options

IPsec connections support a number of authentication methods the ones listed below are currently supported:

  • IKEv1 & IKEv2
  • Certificate-based authentication
  • EAP-TLS (Certificate)
  • PSK (Pre Shared Key)
  • EAP (Username/Password)

IPsec Policy

The settings listed here are used as the IKE / IPsec policy. The remote terminal must be configured accordingly to these settings.

Further down in the document you will find examples of how to configure connections to various remote stations.

IKE encryptionAES128 - AES192 - AES265
IKE AuthenticationSHA2 265 - SHA2 384 - SHA2 512
IKE SA Lifetimemax. 14000
IKE DH GroupGroup 14-18: MODP 2048-3072-4096-6144-8192 Group 19-21: ECP256-384-521

IPsec encryptionAES128 GCM - AES192 GCM - AES265 GCM
IPsec SA Lifetimemax. 3600
IPsec PFS GroupGroup 14-18: MODP 2048-3072-4096-6144-8192 Group 19-21: ECP256-384-521

This list shows the possible and supported encryption methods of the VPN appliance. No settings need to be made in the appliance itself, as these are automatically synchronized with the remote terminal.

Basics IPsec VPN

For IPsec connections, it must be ensured that one of the two sides is active. This means that the connection is actively initiated and the other side is passive, i.e. respond only. In the language of the appliance, this is start for the active part and trap for the passive part.