Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on CentOS 8. Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is the Internet Protocol Security which uses strong cryptography to provide both authentication and encryption services and allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.
IKE manages the authentication between two communicating end points. It also enables endpoints to negotiate on algorithms to use to setup an IPsec tunnel.
In our previous guide, we covered how to install and configure IPSec VPN using StrongSwan on Ubuntu 18.04. See the link below;
Configure IPSEC VPN using StrongSwan on Ubuntu 18.04
Setting up IPSec VPN Server with Libreswan
There are different VPN Server-client implementations of Libreswan. In this guide, we are going to learn how setup IPSec VPN server for the mobile clients (clients with dynamically assigned IPs such as laptops) here in known as road warriors, so that they can be able to connect to local LAN from anywhere. Mobile clients are authenticated using certificates and hence uses the IKEv2 protocol.
IKEv2 (Internet Key Exchange version 2) is a VPN encryption protocol that handles request and response actions. IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.
Run system Update
Update your system packages on the server to be used as Libreswan VPN server.
dnf updateInstall Libreswan on CentOS 8
Once the update is done, install Libreswan. Libreswan is available on CentOS 8 AppStream repos and hence, you can simply install using the package manager as follows;
dnf install libreswanRunning Libreswan
Once the installation is done, start and enable Libreswan ipsec service to run on system boot.
systemctl enable --now ipsecInitialize IPSec NSS Database
Next, you need to initialize the Network Security Services (NSS) database. NSS database is used to store authentication keys and identity certificates.
ipsec initnssIf there is any previous database, you can remove it so that you can have a new database. The NSS database is stored under /etc/ipsec.d.
To remove any old databases, stop IPsec, if running and remove NSS databases by running the commands below;
systemctl stop ipsecrm -rf /etc/ipsec.d/*dbYou can then re-initialize the NSS database;
ipsec initnssThen start IPSec;
systemctl start ipsecOpen Libreswan Ports and Protocols on Firewall
The IKE protocol uses UDP port 500 and 4500 while IPsec protocols, Encapsulated Security Payload (ESP) and Authenticated Header (AH) uses protocol number 50 and 51 respectively.
Hence, open these ports and protocols on your active firewall zone on your VPN (Left Endpoint) Server in this guide.
firewall-cmd --get-active-zoneTo open the ports and firewall on the default firewalld zone;
firewall-cmd --add-port={4500,500}/udp --permanentfirewall-cmd --add-protocol={50,51} --permanentOr you can simply use the IPSec service;
firewall-cmd --add-service=ipsec --permanentReload FirewallD
firewall-cmd --reloadConfigure IPSec VPN Server with Libreswan
Libreswan doesn’t use the client-server model. It however uses the terms left and right to refer to endpoints involved in any given connection. The left/right terms can be used arbitrarily to refer to each system as long as you maintain consistency in using the terms while configuring your connections.
Enable IP Forwarding
On both the VPN server, you need to enable IP forwarding.
Run the command below to check if IP forwarding is enabled;
sysctl net.ipv4.ip_forwardIf the output is net.ipv4.ip_forward = 0, then IP forwarding is disabled and you need to enable by executing either of the command below;
IP forwarding can be enabled by just enabling IP masquerading on firewalld.
firewall-cmd --add-masquerade --permanent
firewall-cmd --reloadYou can the verify IP forwarding;
cat /proc/sys/net/ipv4/ip_forward
1A value of 1 means, IP forwarding is enabled.
Similarly. you can enable IP forwarding by running the commands below;
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confRefresh with the sysctl.conf with new configuration.
sysctl -pAlso, ensure that redirects are disabled.
less /etc/sysctl.d/50-libreswan.conf
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
Generate VPN Server and Client Certificates
Next, you need to generate the VPN server and clients certificates for use in authentication.
Create Certificates Generation Database
Run the command below to create a database that can be used to generate store a private key and CA certificate for use in generating hosts certificates. We will be using certutil command to generate the certificates.
mkdir /etc/ipsec.d/certsdbcertutil -N -d sql:/etc/ipsec.d/certsdbThe command prompts you to enter the password for encrypting your keys.
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: StRONgPassw0Rd
Re-enter password: StRONgPassw0Rd
Generate CA Certificate
We use self signed certificates in this tutorial and hence, this is how we can generate our local CA certificate.
certutil -S -x -n "Kifarunix-demo CA" -s "O=Kifarunix-demo,CN=Kifarunix-demo CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t "CT,," -2Refer to man certutil to learn about the options used.
When the command runs, you will be first prompted to enter the password for encrypting keys you set above. Enter the password to proceed.
Next, you are required to generate random seed for use in creating of your keys by typing any keys on the keyboard until the progress meter is full. Once it is full, press enter to continue.
...
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue: ENTER
- Next, type y to specify that this is a CA certificate being generated.
- Press ENTER for the path length
- Enter n to specify that this is not a critical extension.
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > ENTER
Is this a critical extension [y/N]?
n
Generate the VPN Server Certificate
Next, generate the server certificate signed using the CA created above and assign extensions to it.
certutil -S -c "Kifarunix-demo CA" -n "vpn.kifarunix-demo.com" -s "O=Kifarunix-demo,CN=vpn.kifarunix-demo.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "vpn.kifarunix-demo.com"Similarly, enter the keys encryption password, generate the seed from the keyboard and press ENTER to continue.
Define the key and the key extension usage.
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 2
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 8
Is this a critical extension [y/N]?
n
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 0
0 - Server Auth
1 - Client Auth
2 - Code Signing
3 - Email Protection
4 - Timestamp
5 - OCSP Responder
6 - Step-up
7 - Microsoft Trust List Signing
Other to finish
> 8
Is this a critical extension [y/N]?
N
Generate the VPN Client Certificate
Run the command below to generate a VPN client certificate. Replace the name of the certificate (hostname used here) with the name of the host whose client certificate you are generating for;
certutil -S -c "Kifarunix-demo CA" -n "janedoe.kifarunix-demo.com" -s "O=Kifarunix-demo,CN=janedoe.kifarunix-demo.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "janedoe.kifarunix-demo.com"Similarly, enter the same options as above.
Listing the Available Certificates in the database
certutil -L -d sql:/etc/ipsec.d/certsdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Kifarunix-demo CA CTu,u,u
vpn.kifarunix-demo.com u,u,u
janedoe.kifarunix-demo.com u,u,u
johndoe.kifarunix-demo.com u,u,u
Export and import the gateway certificate into the pluto DB.
pk12util -o vpn.kifarunix-demo.com.p12 -n "vpn.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdbYou can skip the PKCS12 password.
lsvpn.kifarunix-demo.com.p12Once exported, Import the VPN server certificate to DB.
ipsec import vpn.kifarunix-demo.com.p12Export the client host certificates, private key, and CA certificate. All these will be stored in a .p12 file as specified output file in the command below.
pk12util -o janedoe.kifarunix-demo.com.p12 -n "janedoe.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdbSimilarly, skip the PKCS12 password.
lsjanedoe.kifarunix-demo.com.p12 vpn.kifarunix-demo.com.p12If you have generated certificates for other client hosts, you can as well export them.
Create IPSec VPN Endpoint Configuration file
On your IPSec VPN host, create a configuration file on /etc/ipsec.d directory for your mobile clients. /etc/ipsec.conf is the default configuration file for Libreswan and it has a directive to include other configurations defined on /etc/ipsec.d directory.
vim /etc/ipsec.d/mobile-clients.confPut the following configurations on the file above.
conn roadwarriors
left=vpn.kifarunix-demo.com
leftsubnet=0.0.0.0/0
leftcert=vpn.kifarunix-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightaddresspool=10.0.8.10-10.0.8.254
rightca=%same
rightrsasigkey=%cert
modecfgdns="8.8.8.8,10.0.8.1"
authby=rsasig
auto=start
dpddelay=60
dpdtimeout=300
dpdaction=clear
mobike=yes
ikev2=insist
fragmentation=yes
type=tunnel
Refer to man ipsec.conf for a comprehensive description of the options used above.
Verify the configuration file for any errors;
/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfigIf there is no error, command exit with 0 status.
echo $?Otherwise, any error is displayed on the standard output. Fix the errors before you can proceed.
Enable IPsec logging by uncommenting the line, #logfile=/var/log/pluto.log, on the /etc/ipsec.conf configuration.
config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
...Restart IPsec;
systemctl restart ipsecCheck status;
systemctl status ipsecIf ipsec fails to start, there must be a configuration syntax error. Run the command below to pinpoint the error.
journalctl -xeDisable rp_filter for Libreswan and reload all Kernel configurations.
echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.confsysctl --systemVerify IPsec Configuration
To confirm that the IPsec configuration is fine, simply run the command below;
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.18.0-193.6.3.el8_2.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
Copy VPN Client Certificates to your Mobile Clients
You can now copy the client certificates to your remote clients and connect to the VPN server.
In this tutorial, we are using Ubuntu 20.04 and Ubuntu 18.04 systems as our remote clients.
We have generated certificates for two hosts, janedoe.kifarunix-demo.com and johndoe.kifarunix-demo.com for Ubuntu 20.04 and Ubuntu 18.04 client hosts respectively.
Configuring Libreswan Client
On your Ubuntu system, install libreswan package.
apt updateapt install libreswanCreate Libreswan Client VPN connection configuration file
vim /etc/ipsec.d/johndoe.confEnter the content below;
conn vpn.kifarunix-demo.com
left=%defaultroute
leftcert=johndoe.kifarunix-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=vpn.kifarunix-demo.com
rightsubnet=0.0.0.0/0
[email protected]
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=start
If you are using hostnames, ensure that they are resolvable.
Similarly, on your second host;
vim /etc/ipsec.d/janedoe.conf
conn vpn.kifarunix-demo.com
left=%defaultroute
leftcert=janedoe.kifarunix-demo.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=vpn.kifarunix-demo.com
rightsubnet=0.0.0.0/0
[email protected]
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=no
auto=start
Check the configuration syntax;
/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfigInitialize NSS database;
sudo ipsec checknssImport PKCS#12 X.509 certificate files into the NSS database;
sudo ipsec import janedoe.kifarunix-demo.com.p12Do the same on the other client host. Press ENTER to skip the PCKS12 password.
Enter password for PKCS12 file: ENTER
pk12util: PKCS12 IMPORT SUCCESSFUL
correcting trust bits for Kifarunix-demo CAYou can list available certificates on the client host;
certutil -L -d sql:/var/lib/ipsec/nssStart IPsec and enable it to run on system boot.
sudo ipsec setup startCheck the status;
systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-06-21 12:28:02 EAT; 7min ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 11251 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 11266 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 11742 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 11743 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 11757 (pluto)
Status: "Startup completed."
Tasks: 2 (limit: 2319)
Memory: 10.3M
CGroup: /system.slice/ipsec.service
└─11757 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.co>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: Authenticated using RSA
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 8.8.8.8
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 10.0.8.1
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: up-client output: updating resolvconf
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=
Check the status on the other remote host.
From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10. On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11.
Load the connection on each client host;
sudo ipsec auto --add vpn.kifarunix-demo.comEstablish the tunnel by bringing up the connection on each host;
sudo ipsec auto --up vpn.kifarunix-demo.comFrom each host, ping the VPN assigned IP address of the other.
ping 10.0.8.11 -c 4
PING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.
64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms
64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms
64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms
64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms
--- 10.0.8.11 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3010ms
rtt min/avg/max/mdev = 2.820/2.888/3.060/0.099 ms
On the other host;
ping 10.0.8.10 -c 4
PING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.
64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms
64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms
64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms
64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms
--- 10.0.8.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.631/2.516/3.187/0.588 ms
The two remote hosts can now communicate via IPsec VPN server.
Further Reading/Reference
Libreswan Configuration Examples
Related Tutorials
Install and Setup OpenVPN Server on Ubuntu 20.04
Configure OpenVPN LDAP Based Authentication
Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8
