Install and Configure Libreswan VPN Client on Ubuntu/Debian

0
395

In this tutorial, you will learn how to install and configure Libreswan VPN client on Ubuntu/Debian Systems. We are using Ubuntu 20.04 and Debian 11 systems as our Libreswan IPSec roadwarrior VPN clients. Road warriors are traveling users with mobile clients with a dynamically assigned IP address, such as laptops. These are authenticated using certificates.

In order to setup Libreswan IPSec VPN to allow roadwarriors to connect to VPN, follow our guide on the link provided below;

Setup IPSec VPN server with Libreswan on Rocky Linux

Install and Configure Libreswan VPN Client on Ubuntu/Debian Systems

In the guide above, we have generated certificates for two hosts, janedoe.kifarunix-demo.com and johndoe.kifarunix-demo.com.

As already mentioned, we will use the two certificate files on Ubuntu 20.04 and Debian 11 client hosts respectively.

Install Libreswan on Ubuntu/Debian systems

On your Ubuntu/Debian systems, install libreswan package.

apt update
apt install libreswan

Configuring Libreswan Client on Ubuntu/Debian

Create Libreswan Client VPN connection configuration file

vim /etc/ipsec.d/johndoe.conf

Enter the content below;

conn vpn.kifarunix-demo.com
	left=%defaultroute
	leftcert=johndoe.kifarunix-demo.com
	leftid=%fromcert
	leftrsasigkey=%cert
	leftsubnet=0.0.0.0/0 
	leftmodecfgclient=yes
	right=vpn.kifarunix-demo.com
	rightsubnet=0.0.0.0/0 
	[email protected]
	rightrsasigkey=%cert
	narrowing=yes
	ikev2=insist
	rekey=yes
	fragmentation=yes
	mobike=no
	auto=start

If you are using hostnames, ensure that they are resolvable.

Similarly, on your second client host;

vim /etc/ipsec.d/janedoe.conf
conn vpn.kifarunix-demo.com
	left=%defaultroute
	leftcert=janedoe.kifarunix-demo.com
	leftid=%fromcert
	leftrsasigkey=%cert
	leftsubnet=0.0.0.0/0 
	leftmodecfgclient=yes
	right=vpn.kifarunix-demo.com
	rightsubnet=0.0.0.0/0 
	[email protected]
	rightrsasigkey=%cert
	narrowing=yes
	ikev2=insist
	rekey=yes
	fragmentation=yes
	mobike=no
	auto=start

Check the configuration syntax;

On Ubuntu

/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig

On Debian;

/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig

Similarly, run the command below to verify the configuration;

ipsec verify

Sample output;

Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 4.3 (netkey) on 5.10.0-8-amd64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects            	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[FAILED]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]

ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help

From the command output, we need to disable the ICMP default/accept_redirects. This can be done using as follows;

echo "net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
sysctl -p

Rerun the verification command again and check the output;

ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 4.3 (netkey) on 5.10.0-8-amd64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[FAILED]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]

ipsec verify: encountered 2 errors - see 'man ipsec_verify' for help

Pluto is not running since we havent started IPSec yet, which is fine for now.

Initialize NSS database;

sudo ipsec checknss

 Import the client’s PKCS#12 X.509 certificate files into the NSS database;

sudo ipsec import janedoe.kifarunix-demo.com.p12

Do the same on the other client host. Press ENTER to skip the PCKS12 password.

Enter password for PKCS12 file: ENTER
pk12util: PKCS12 IMPORT SUCCESSFUL
correcting trust bits for Kifarunix-demo CA

You can list available certificates on the client host;

sudo certutil -L -d sql:/var/lib/ipsec/nss

Sample command output;

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

johndoe.kifarunix-demo.com                                   u,u,u
Kifarunix-demo CA                                            CT,, 

Start IPSec and enable it to run on system boot.

sudo systemctl start ipsec

Check the status;

systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-04-15 06:07:16 UTC; 24s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 2952 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 2953 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 3441 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 3442 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 3456 (pluto)
     Status: "Startup completed."
      Tasks: 3 (limit: 2282)
     Memory: 6.5M
     CGroup: /system.slice/ipsec.service
             └─3456 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: loading root certificate cache
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: Authenticated using RSA
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: up-client output: updating resolvconf
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>
Apr 15 06:07:16 ubuntu20 pluto[3456]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x7458cc33 <0x84f3773d xfr>

From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10.

Check the status on the other remote host as well;

systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-04-15 10:28:01 EAT; 46s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 2767 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 2768 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 3005 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 3006 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 3017 (pluto)
     Status: "Startup completed."
      Tasks: 3 (limit: 4679)
     Memory: 3.6M
        CPU: 436ms
     CGroup: /system.slice/ipsec.service
             └─3017 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Apr 15 10:28:01 debian11 pluto[3017]: loading root certificate cache
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #1: authenticated using RSA with SHA1
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.11
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8
Apr 15 10:28:01 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: up-client output: updating resolvconf
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: negotiated connection [10.0.8.11-10.0.8.11:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>
Apr 15 10:28:02 debian11 pluto[3017]: "vpn.kifarunix-demo.com"[1] 192.168.58.43 #2: IPsec SA established tunnel mode {ESPinUDP=>0x6281339e <0xfe11f33f xfrm=AES_GCM_16_256->

You can also use the command below to check the status;

ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::[email protected]
000 interface lo/lo [email protected]
000 interface lo/lo [email protected]
000 interface enp0s3/enp0s3 [email protected]
000 interface enp0s3/enp0s3 [email protected]
000 interface enp0s8/enp0s8 [email protected]
000 interface enp0s8/enp0s8 [email protected]
000 interface enp0s8/enp0s8 [email protected]
000 interface enp0s8/enp0s8 [email protected]
000 interface enp0s9/enp0s9 [email protected]
000 interface enp0s9/enp0s9 [email protected]
000 interface enp0s9/enp0s9 [email protected]
000 interface enp0s9/enp0s9 [email protected]
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/var/lib/ipsec/nss, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/usr/share/dns/root.key, dnssec-trusted=
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.29, pluto_vendorid=OE-Libreswan-3.29
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
000 ocsp-trust-name=
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=
000 secctx-attr-type=32001
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "vpn.kifarunix-demo.com": 0.0.0.0/0===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0/0; unrouted; eroute owner: #0
000 "vpn.kifarunix-demo.com":     oriented; my_ip=unset; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;
000 "vpn.kifarunix-demo.com":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "vpn.kifarunix-demo.com":   our auth:rsasig, their auth:rsasig
000 "vpn.kifarunix-demo.com":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpn.kifarunix-demo.com":   labeled_ipsec:no;
000 "vpn.kifarunix-demo.com":   policy_label:unset;
000 "vpn.kifarunix-demo.com":   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'
000 "vpn.kifarunix-demo.com":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn.kifarunix-demo.com":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn.kifarunix-demo.com":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpn.kifarunix-demo.com":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn.kifarunix-demo.com":   conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpn.kifarunix-demo.com":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpn.kifarunix-demo.com":   our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their [email protected]
000 "vpn.kifarunix-demo.com":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpn.kifarunix-demo.com":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn.kifarunix-demo.com"[1]: 10.0.8.10/32===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0/0; erouted; eroute owner: #2
000 "vpn.kifarunix-demo.com"[1]:     oriented; my_ip=10.0.8.10; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;
000 "vpn.kifarunix-demo.com"[1]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "vpn.kifarunix-demo.com"[1]:   our auth:rsasig, their auth:rsasig
000 "vpn.kifarunix-demo.com"[1]:   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpn.kifarunix-demo.com"[1]:   labeled_ipsec:no;
000 "vpn.kifarunix-demo.com"[1]:   policy_label:unset;
000 "vpn.kifarunix-demo.com"[1]:   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'
000 "vpn.kifarunix-demo.com"[1]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn.kifarunix-demo.com"[1]:   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn.kifarunix-demo.com"[1]:   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpn.kifarunix-demo.com"[1]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn.kifarunix-demo.com"[1]:   conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpn.kifarunix-demo.com"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpn.kifarunix-demo.com"[1]:   our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their [email protected]
000 "vpn.kifarunix-demo.com"[1]:   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpn.kifarunix-demo.com"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "vpn.kifarunix-demo.com"[1]:   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "vpn.kifarunix-demo.com"[1]:   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=
000  
000 Total IPsec connections: loaded 2, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #1: "vpn.kifarunix-demo.com"[1] 192.168.58.43:4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2590s; newest ISAKMP; idle;
000 #2: "vpn.kifarunix-demo.com"[1] 192.168.58.43:4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 28031s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "vpn.kifarunix-demo.com"[1] 192.168.58.43 [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000  
000 Bare Shunt list:
000  

On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11.

Load the connection on each client host;

sudo ipsec auto --add vpn.kifarunix-demo.com

Establish the tunnel by bringing up the connection on each host;

sudo ipsec auto --up vpn.kifarunix-demo.com

Sample connection output;

002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: initiating v2 parent SA
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: initiate
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43: constructed local IKE proposals for vpn.kifarunix-demo.com (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default)
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: Received unauthenticated INVALID_KE_PAYLOAD response to DH MODP2048; resending with suggested DH DH19
133 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43: constructed local ESP/AH proposals for vpn.kifarunix-demo.com (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
134 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'
003 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: Authenticated using RSA
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_ADDRESS 10.0.8.10
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 8.8.8.8
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 10.0.8.1
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: up-client output: updating resolvconf
002 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
004 "vpn.kifarunix-demo.com"[1] 192.168.58.43 #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x882f7889 <0xf418dbb8 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=192.168.58.43:4500 DPD=passive}

From each host, ping the VPN assigned IP address of the other.

ping 10.0.8.11 -c 4
PING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.
64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms
64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms
64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms
64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms

--- 10.0.8.11 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3010ms
rtt min/avg/max/mdev = 2.820/2.888/3.060/0.099 ms

On the other host;

ping 10.0.8.10 -c 4
PING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.
64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms
64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms
64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms
64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms

--- 10.0.8.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.631/2.516/3.187/0.588 ms

The two remote hosts can now communicate via IPsec VPN server.

And that concludes our guide on how to install and configure Libreswan IPSec VPN client on Ubuntu/Debian Systems.

Read more on Libreswan Configuration Examples page.

Other Tutorials

Configure OpenVPN Clients to use specific DNS Server

Install Pritunl VPN client on Debian/Ubuntu

LEAVE A REPLY

Please enter your comment!
Please enter your name here