Setup IPSec VPN Server with Libreswan on CentOS 8

0
1132

Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on CentOS 8. Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is the Internet Protocol Security which uses strong cryptography to provide both authentication and encryption services and allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.

IKE manages the authentication between two communicating end points. It also enables endpoints to negotiate on algorithms to use to setup an IPsec tunnel.

In our previous guide, we covered how to install and configure IPSec VPN using StrongSwan on Ubuntu 18.04. See the link below;

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04

Setup IPSec VPN Server with Libreswan on CentOS 8

There are different VPN Server-client implementations of Libreswan. In this guide, we are going to learn how setup IPSec VPN server for the mobile clients (clients with dynamically assigned IPs such as laptops) here in known as road warriors, so that they can be able to connect to local LAN from anywhere. Mobile clients are authenticated using certificates and hence uses the IKEv2 protocol.

IKEv2 (Internet Key Exchange version 2) is a VPN encryption protocol that handles request and response actions. IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.

Run system Update

Update your system packages on the server to be used as Libreswan VPN server.

dnf update

Install Libreswan on CentOS 8

Once the update is done, install Libreswan. Libreswan is available on CentOS 8 AppStream repos and hence, you can simply install using the package manager as follows;

dnf install libreswan

Running Libreswan

Once the installation is done, start and enable Libreswan ipsec service to run on system boot.

systemctl enable --now ipsec

Initialize IPSec NSS Database

Next, you need to initialize the Network Security Services (NSS) database. NSS database is used to store authentication keys and identity certificates.

ipsec initnss

If there is any previous database, you can remove it so that you can have a new database. The NSS database is stored under /etc/ipsec.d.

To remove any old databases, stop IPsec, if running and remove NSS databases by running the commands below;

systemctl stop ipsec
rm -rf /etc/ipsec.d/*db

You can then re-initialize the NSS database;

ipsec initnss

Then start IPSec;

systemctl start ipsec

Open Libreswan Ports and Protocols on Firewall

The IKE protocol uses UDP port 500 and 4500 while IPsec protocols, Encapsulated Security Payload (ESP) and Authenticated Header (AH) uses protocol number 50 and 51 respectively.

Hence, open these ports and protocols on your active firewall zone on your VPN (Left Endpoint) Server in this guide.

firewall-cmd --get-active-zone

To open the ports and firewall on the default firewalld zone;

firewall-cmd --add-port={4500,500}/udp --permanent
firewall-cmd --add-protocol={50,51} --permanent

Or you can simply use the IPSec service;

firewall-cmd --add-service=ipsec --permanent

Reload FirewallD

firewall-cmd --reload

Configure IPSec VPN Server with Libreswan

Libreswan doesn’t use the client-server model. It however uses the terms left and right to refer to endpoints involved in any given connection. The left/right terms can be used arbitrarily to refer to each system as long as you maintain consistency in using the terms while configuring your connections.

Enable IP Forwarding

On both the VPN server, you need to enable IP forwarding.

Run the command below to check if IP forwarding is enabled;

sysctl net.ipv4.ip_forward

If the output is net.ipv4.ip_forward = 0, then IP forwarding is disabled and you need to enable by executing either of the command below;

IP forwarding can be enabled by just enabling IP masquerading on firewalld.

firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

You can the verify IP forwarding;

cat /proc/sys/net/ipv4/ip_forward
1

A value of 1 means, IP forwarding is enabled.

Similarly. you can enable IP forwarding by running the commands below;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Refresh with the sysctl.conf with new configuration.

sysctl -p

Also, ensure that redirects are disabled.

less /etc/sysctl.d/50-libreswan.conf
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0

Generate VPN Server and Client Certificates

Next, you need to generate the VPN server and clients certificates for use in authentication.

Create Certificates Generation Database

Run the command below to create a database that can be used to generate store a private key and CA certificate for use in generating hosts certificates. We will be using certutil command to generate the certificates.

mkdir /etc/ipsec.d/certsdb
certutil -N -d sql:/etc/ipsec.d/certsdb

The command prompts you to enter the password for encrypting your keys.

Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: StRONgPassw0Rd
Re-enter password: StRONgPassw0Rd

Generate CA Certificate

We use self signed certificates in this tutorial and hence, this is how we can generate our local CA certificate.

certutil -S -x -n "Kifarunix-demo CA" -s "O=Kifarunix-demo,CN=Kifarunix-demo CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t "CT,," -2

Refer to man certutil to learn about the options used.

When the command runs, you will be first prompted to enter the password for encrypting keys you set above. Enter the password to proceed.

Next, you are required to generate random seed for use in creating of your keys by typing any keys on the keyboard until the progress meter is full. Once it is full, press enter to continue.

...
Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: ENTER
  • Next, type y to specify that this is a CA certificate being generated.
  • Press ENTER for the path length
  • Enter n to specify that this is not a critical extension.
Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > ENTER
Is this a critical extension [y/N]?
n

Generate the VPN Server Certificate

Next, generate the server certificate signed using the CA created above and assign extensions to it.

certutil -S -c "Kifarunix-demo CA" -n "vpn.kifarunix-demo.com" -s "O=Kifarunix-demo,CN=vpn.kifarunix-demo.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "vpn.kifarunix-demo.com"

Similarly, enter the keys encryption password, generate the seed from the keyboard and press ENTER to continue.

Define the key and the key extension usage.

Generating key.  This may take a few moments...

		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 0
		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 2
		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 8
Is this a critical extension [y/N]?
n
		0 - Server Auth
		1 - Client Auth
		2 - Code Signing
		3 - Email Protection
		4 - Timestamp
		5 - OCSP Responder
		6 - Step-up
		7 - Microsoft Trust List Signing
		Other to finish
 > 0
		0 - Server Auth
		1 - Client Auth
		2 - Code Signing
		3 - Email Protection
		4 - Timestamp
		5 - OCSP Responder
		6 - Step-up
		7 - Microsoft Trust List Signing
		Other to finish
 > 8
Is this a critical extension [y/N]?
N

Generate the VPN Client Certificate

Run the command below to generate a VPN client certificate. Replace the name of the certificate (hostname used here) with the name of the host whose client certificate you are generating for;

certutil -S -c "Kifarunix-demo CA" -n "janedoe.kifarunix-demo.com" -s "O=Kifarunix-demo,CN=janedoe.kifarunix-demo.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "janedoe.kifarunix-demo.com"

Similarly, enter the same options as above.

Listing the Available Certificates in the database

certutil -L -d sql:/etc/ipsec.d/certsdb
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Kifarunix-demo CA                                            CTu,u,u
vpn.kifarunix-demo.com                                       u,u,u
janedoe.kifarunix-demo.com                                   u,u,u
johndoe.kifarunix-demo.com                                   u,u,u

Export and import the gateway certificate into the pluto DB.

pk12util -o vpn.kifarunix-demo.com.p12 -n "vpn.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdb

You can skip the PKCS12 password.

ls
vpn.kifarunix-demo.com.p12

Once exported, Import the VPN server certificate to DB.

ipsec import vpn.kifarunix-demo.com.p12

Export the client host certificates, private key, and CA certificate. All these will be stored in a .p12 file as specified output file in the command below.

pk12util -o janedoe.kifarunix-demo.com.p12 -n "janedoe.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdb

Similarly, skip the PKCS12 password.

ls
janedoe.kifarunix-demo.com.p12 vpn.kifarunix-demo.com.p12

If you have generated certificates for other client hosts, you can as well export them.

Create IPSec VPN Endpoint Configuration file

On your IPSec VPN host, create a configuration file on /etc/ipsec.d directory for your mobile clients. /etc/ipsec.conf is the default configuration file for Libreswan and it has a directive to include other configurations defined on /etc/ipsec.d directory.

vim /etc/ipsec.d/mobile-clients.conf

Put the following configurations on the file above.

conn roadwarriors
    left=vpn.kifarunix-demo.com
    leftsubnet=0.0.0.0/0
    leftcert=vpn.kifarunix-demo.com
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsendcert=always
    right=%any
    rightaddresspool=10.0.8.10-10.0.8.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns="8.8.8.8,10.0.8.1"
    authby=rsasig
    auto=start
    dpddelay=60
    dpdtimeout=300
    dpdaction=clear
    mobike=yes
    ikev2=insist
    fragmentation=yes
    type=tunnel

Refer to man ipsec.conf for a comprehensive description of the options used above.

Verify the configuration file for any errors;

/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig

If there is no error, command exit with 0 status.

echo $?

Otherwise, any error is displayed on the standard output. Fix the errors before you can proceed.

Enable IPsec logging by uncommenting the line, #logfile=/var/log/pluto.log, on the /etc/ipsec.conf configuration.

config setup
        # Normally, pluto logs via syslog.
        logfile=/var/log/pluto.log
...

Restart IPsec;

systemctl restart ipsec

Check status;

systemctl status ipsec

If ipsec fails to start, there must be a configuration syntax error. Run the command below to pinpoint the error.

journalctl -xe

Disable rp_filter for Libreswan and reload all Kernel configurations.

echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
sysctl --system

Verify IPsec Configuration

To confirm that the IPsec configuration is fine, simply run the command below;

ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.29 (netkey) on 4.18.0-193.6.3.el8_2.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]

Copy VPN Client Certificates to your Mobile Clients

You can now copy the client certificates to your remote clients and connect to the VPN server.

In this tutorial, we are using Ubuntu 20.04 and Ubuntu 18.04 systems as our remote clients.

We have generated certificates for two hosts, janedoe.kifarunix-demo.com and johndoe.kifarunix-demo.com for Ubuntu 20.04 and Ubuntu 18.04 client hosts respectively.

Configuring Libreswan Client

On your Ubuntu system, install libreswan package.

apt update
apt install libreswan

Create Libreswan Client VPN connection configuration file

vim /etc/ipsec.d/johndoe.conf

Enter the content below;

conn vpn.kifarunix-demo.com
	left=%defaultroute
	leftcert=johndoe.kifarunix-demo.com
	leftid=%fromcert
	leftrsasigkey=%cert
	leftsubnet=0.0.0.0/0 
	leftmodecfgclient=yes
	right=vpn.kifarunix-demo.com
	rightsubnet=0.0.0.0/0 
	[email protected]
	rightrsasigkey=%cert
	narrowing=yes
	ikev2=insist
	rekey=yes
	fragmentation=yes
	mobike=no
	auto=start

If you are using hostnames, ensure that they are resolvable.

Similarly, on your second host;

vim /etc/ipsec.d/janedoe.conf
conn vpn.kifarunix-demo.com
	left=%defaultroute
	leftcert=janedoe.kifarunix-demo.com
	leftid=%fromcert
	leftrsasigkey=%cert
	leftsubnet=0.0.0.0/0 
	leftmodecfgclient=yes
	right=vpn.kifarunix-demo.com
	rightsubnet=0.0.0.0/0 
	[email protected]
	rightrsasigkey=%cert
	narrowing=yes
	ikev2=insist
	rekey=yes
	fragmentation=yes
	mobike=no
	auto=start

Check the configuration syntax;

/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig

Initialize NSS database;

sudo ipsec checknss

 Import PKCS#12 X.509 certificate files into the NSS database;

sudo ipsec import janedoe.kifarunix-demo.com.p12

Do the same on the other client host. Press ENTER to skip the PCKS12 password.

Enter password for PKCS12 file: ENTER
pk12util: PKCS12 IMPORT SUCCESSFUL
correcting trust bits for Kifarunix-demo CA

You can list available certificates on the client host;

certutil -L -d sql:/var/lib/ipsec/nss

Start IPsec and enable it to run on system boot.

sudo ipsec setup start

Check the status;

systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2020-06-21 12:28:02 EAT; 7min ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 11251 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 11266 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 11742 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 11743 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 11757 (pluto)
     Status: "Startup completed."
      Tasks: 2 (limit: 2319)
     Memory: 10.3M
     CGroup: /system.slice/ipsec.service
             └─11757 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.co>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: Authenticated using RSA
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 8.8.8.8
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 10.0.8.1
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: up-client output: updating resolvconf
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0>
Jun 21 12:28:02 koromicha pluto[11757]: "vpn.kifarunix-demo.com"[1] 192.168.56.133 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=

Check the status on the other remote host.

From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10. On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11.

Load the connection on each client host;

sudo ipsec auto --add vpn.kifarunix-demo.com

Establish the tunnel by bringing up the connection on each host;

sudo ipsec auto --up vpn.kifarunix-demo.com

From each host, ping the VPN assigned IP address of the other.

ping 10.0.8.11 -c 4
PING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.
64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms
64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms
64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms
64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms

--- 10.0.8.11 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3010ms
rtt min/avg/max/mdev = 2.820/2.888/3.060/0.099 ms

On the other host;

ping 10.0.8.10 -c 4
PING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.
64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms
64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms
64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms
64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms

--- 10.0.8.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.631/2.516/3.187/0.588 ms

The two remote hosts can now communicate via IPsec VPN server. That brings us to the end of our tutorial on how to setup IPSec VPN server with Libreswan on CentOS 8.

Further Reading/Reference

Libreswan Configuration Examples

Related Tutorials

Install and Setup OpenVPN Server on Ubuntu 20.04

Configure OpenVPN LDAP Based Authentication

Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

Setup IPSEC VPN using StrongSwan on Debian 10

Connect to Cisco VPN Using PCF file on Ubuntu

LEAVE A REPLY

Please enter your comment!
Please enter your name here