In this tutorial, you will learn how to install and configure Libreswan VPN client on Ubuntu/Debian Systems. We are using Ubuntu 20.04 and Debian 11 systems as our Libreswan IPSec roadwarrior VPN clients. Road warriors are traveling users with mobile clients with a dynamically assigned IP address, such as laptops. These are authenticated using certificates.
In order to setup Libreswan IPSec VPN to allow roadwarriors to connect to VPN, follow our guide on the link provided below;
Setup IPSec VPN server with Libreswan on Rocky Linux
Install and Configure Libreswan VPN Client on Ubuntu/Debian Systems
In the guide above, we have generated certificates for two hosts, janedoe.kifarunix-demo.com and johndoe.kifarunix-demo.com.
As already mentioned, we will use the two certificate files on Ubuntu 20.04 and Debian 11 client hosts respectively.
Install Libreswan on Ubuntu/Debian systems
On your Ubuntu/Debian systems, install libreswan package.
apt updateapt install libreswanConfiguring Libreswan Client on Ubuntu/Debian
Create Libreswan Client VPN connection configuration file
vim /etc/ipsec.d/johndoe.confEnter the content below;
conn vpn.kifarunix-demo.com
left=%defaultroute
leftcert=johndoe.kifarunix-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=vpn.kifarunix-demo.com
rightsubnet=0.0.0.0/0
[email protected]
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=start
If you are using hostnames, ensure that they are resolvable.
Similarly, on your second client host;
vim /etc/ipsec.d/janedoe.confconn vpn.kifarunix-demo.com
left=%defaultroute
leftcert=janedoe.kifarunix-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=vpn.kifarunix-demo.com
rightsubnet=0.0.0.0/0
[email protected]
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=start
Check the configuration syntax;
On Ubuntu
/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfigOn Debian;
/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfigSimilarly, run the command below to verify the configuration;
ipsec verifySample output;
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 4.3 (netkey) on 5.10.0-8-amd64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [FAILED]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help
From the command output, we need to disable the ICMP default/accept_redirects. This can be done using as follows;
echo "net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.confsysctl -pRerun the verification command again and check the output;
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 4.3 (netkey) on 5.10.0-8-amd64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [FAILED]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 2 errors - see 'man ipsec_verify' for help
Pluto is not running since we havent started IPSec yet, which is fine for now.
Initialize NSS database;
sudo ipsec checknssImport the client’s PKCS#12 X.509 certificate files into the NSS database;
sudo ipsec import janedoe.kifarunix-demo.com.p12Do the same on the other client host. Press ENTER to skip the PCKS12 password.
Enter password for PKCS12 file: ENTER
pk12util: PKCS12 IMPORT SUCCESSFUL
correcting trust bits for Kifarunix-demo CAYou can list available certificates on the client host;
sudo certutil -L -d sql:/var/lib/ipsec/nssSample command output;
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
johndoe.kifarunix-demo.com u,u,u
Kifarunix-demo CA CT,,
Start IPSec and enable it to run on system boot.
sudo systemctl start ipsecCheck the status;
systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2022-04-15 06:07:16 UTC; 24s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 2952 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 2953 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 3441 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 3442 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 3456 (pluto)
Status: "Startup completed."
Tasks: 3 (limit: 2282)
Memory: 6.5M
CGroup: /system.slice/ipsec.service
└─3456 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: loading root certificate cache
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: Authenticated using RSA
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: up-client output: updating resolvconf
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x7458cc33 <0x84f3773d xfr>
From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10.
Check the status on the other remote host as well;
systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2022-04-15 10:28:01 EAT; 46s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 2767 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 2768 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 3005 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 3006 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 3017 (pluto)
Status: "Startup completed."
Tasks: 3 (limit: 4679)
Memory: 3.6M
CPU: 436ms
CGroup: /system.slice/ipsec.service
└─3017 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Apr 15 10:28:01 debian11 pluto[3017]: loading root certificate cache
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: authenticated using RSA with SHA1
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.11
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: up-client output: updating resolvconf
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: negotiated connection [10.0.8.11-10.0.8.11:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: IPsec SA established tunnel mode {ESPinUDP=>0x6281339e <0xfe11f33f xfrm=AES_GCM_16_256->
You can also use the command below to check the status;
ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1@500
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface enp0s3/enp0s3 10.0.2.15@4500
000 interface enp0s3/enp0s3 10.0.2.15@500
000 interface enp0s8/enp0s8 192.168.56.104@4500
000 interface enp0s8/enp0s8 192.168.56.104@500
000 interface enp0s8/enp0s8 192.168.56.120@4500
000 interface enp0s8/enp0s8 192.168.56.120@500
000 interface enp0s9/enp0s9 192.168.57.6@4500
000 interface enp0s9/enp0s9 192.168.57.6@500
000 interface enp0s9/enp0s9 192.168.57.7@4500
000 interface enp0s9/enp0s9 192.168.57.7@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/var/lib/ipsec/nss, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/usr/share/dns/root.key, dnssec-trusted=
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.29, pluto_vendorid=OE-Libreswan-3.29
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
000 ocsp-trust-name=
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "vpn.kifarunix-demo.com": 0.0.0.0/0===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0/0; unrouted; eroute owner: #0
000 "vpn.kifarunix-demo.com": oriented; my_ip=unset; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;
000 "vpn.kifarunix-demo.com": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "vpn.kifarunix-demo.com": our auth:rsasig, their auth:rsasig
000 "vpn.kifarunix-demo.com": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpn.kifarunix-demo.com": labeled_ipsec:no;
000 "vpn.kifarunix-demo.com": policy_label:unset;
000 "vpn.kifarunix-demo.com": CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'
000 "vpn.kifarunix-demo.com": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn.kifarunix-demo.com": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn.kifarunix-demo.com": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpn.kifarunix-demo.com": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn.kifarunix-demo.com": conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpn.kifarunix-demo.com": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpn.kifarunix-demo.com": our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their [email protected]
000 "vpn.kifarunix-demo.com": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpn.kifarunix-demo.com": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn.kifarunix-demo.com"[1]: 10.0.8.10/32===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0/0; erouted; eroute owner: #2
000 "vpn.kifarunix-demo.com"[1]: oriented; my_ip=10.0.8.10; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;
000 "vpn.kifarunix-demo.com"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "vpn.kifarunix-demo.com"[1]: our auth:rsasig, their auth:rsasig
000 "vpn.kifarunix-demo.com"[1]: modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpn.kifarunix-demo.com"[1]: labeled_ipsec:no;
000 "vpn.kifarunix-demo.com"[1]: policy_label:unset;
000 "vpn.kifarunix-demo.com"[1]: CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'
000 "vpn.kifarunix-demo.com"[1]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn.kifarunix-demo.com"[1]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn.kifarunix-demo.com"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpn.kifarunix-demo.com"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn.kifarunix-demo.com"[1]: conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpn.kifarunix-demo.com"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpn.kifarunix-demo.com"[1]: our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their [email protected]
000 "vpn.kifarunix-demo.com"[1]: dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpn.kifarunix-demo.com"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "vpn.kifarunix-demo.com"[1]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "vpn.kifarunix-demo.com"[1]: ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "vpn.kifarunix-demo.com"[1] 192.168.58.43:4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2590s; newest ISAKMP; idle;
000 #2: "vpn.kifarunix-demo.com"[1] 192.168.58.43:4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 28031s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "vpn.kifarunix-demo.com"[1] 192.168.58.43 [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000
000 Bare Shunt list:
000
On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11.
Load the connection on each client host;
sudo ipsec auto --add vpn.kifarunix-demo.comEstablish the tunnel by bringing up the connection on each host;
sudo ipsec auto --up vpn.kifarunix-demo.comSample connection output;
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: initiating v2 parent SA
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: initiate
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43: constructed local IKE proposals for vpn.kifarunix-demo.com (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default)
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: Received unauthenticated INVALID_KE_PAYLOAD response to DH MODP2048; resending with suggested DH DH19
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43: constructed local ESP/AH proposals for vpn.kifarunix-demo.com (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
134 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
003 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: Authenticated using RSA
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_ADDRESS 10.0.8.10
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 8.8.8.8
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 10.0.8.1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: up-client output: updating resolvconf
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
004 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x882f7889 <0xf418dbb8 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=192.168.58.43:4500 DPD=passive}
From each host, ping the VPN assigned IP address of the other.
ping 10.0.8.11 -c 4PING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.
64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms
64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms
64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms
64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms
--- 10.0.8.11 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3010ms
rtt min/avg/max/mdev = 2.820/2.888/3.060/0.099 ms
On the other host;
ping 10.0.8.10 -c 4PING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.
64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms
64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms
64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms
64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms
--- 10.0.8.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.631/2.516/3.187/0.588 ms
The two remote hosts can now communicate via IPsec VPN server.
And that concludes our guide on how to install and configure Libreswan IPSec VPN client on Ubuntu/Debian Systems.
Read more on Libreswan Configuration Examples page.
