IPsec VPN configuration

November 14, 2023


IPsec VPN is a an excellent method to create a secured point-to-point connection between two internal networks. It is an alterative to the traditionnal IP filtering. Jahia Cloud offers IPsec VPN out of the box. Some prior knowledge is required in order to perform the full setup by yourself, otherwise, your Jahia Support team is here to help!


IPsec VPN tunnels can be created to allow network traffic between the Tomcat servers of a Jahia Cloud environment and your infrastructure. Traffic cannot be routed to other backends such as Elasticsearch, Galera clusters and jCustomers.


Supported connection types include Mobike, and only Pre-Shared Key (PSK) is accepted for authentication. Other connection types and authentication methods is not compatible with our IPSec setup. 


Jahia Cloud uses strongSwan as an IPsec VPN Server. Jahia Cloud users can deploy a single strongSwan configuration file named ipsec.conf (see related documentation) as well as a pre-shared key (PSK) used by the VPN client and server to authenticate.

The ipsec.conf file contains a "left" and "right" section. Here, "right" is the Cloud client section, "left" is Jahia Cloud. The left part needs to be defined to "%any" and the type of the connections needs to be defined to "site-to-site".

The rightsubnet property needs to be set to define which subnet will be made available to the Jahia nodes via the tunnel.

Overlapping subnets

The rightsubnet property must not overlap with the Jahia Cloud environment's subnets:,,,

In case of a network overlap, IPs need to be NATed with non-overlapping subnetworks on the client side.


No automated DNS resolution will be handled by the Jahia Cloud client infrastructure's DNS servers. In case some "internal" DNS resolution must happen, the domains to be resolved need to be configured using the internal_domains custom property, as follows (hash signs included, do not remove them):

## internal_domains=mydomain1.com,mydomain2.com


If the IPsec VPN connection doesn't succeed right away, please reach out to the Support team to get help. We will gladly help you troubleshoot the issue.

Code example

Here is a simple configuration sample of a working IPsec Connection:

conn customer-infra
    ## internal_domains=mydomain1.com,mydomain2.com
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = yes
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpdtimeout = 600s
    auto = route
    rightid = CUSTOMER_PUBLIC_IP
    ikelifetime = 28800s
    lifetime = 3600s
    left = %any
    leftsourceip = %config
    leftdns = %config
    ike = aes128-sha1-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1536,aes192-sha256-modp3072!
    esp = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048,aes192gcm128-sha256-modp2048,aes192gcm96-sha256-modp2048,aes192gcm64-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048,blowfish256-sha256-modp2048,blowfish192-sha256-modp2048,blowfish128-sha256-modp2048,3des-sha256-modp2048!
    authby = psk
    aggressive = no

In the secret field, put the secret with the following format:



You can verify the status of your custom IPsec VPN configuration at any time. Follow these steps to access the connection status:

  1. Go to Jahia Cloud
  2. Click on "Monitoring" in the top right corner.
  3. Select "Monitor" and then choose "Manage Monitor"
  4. In the filter, enter "IPsec" and press "Enter."