Setup IPSec VPN server with Libreswan on Rocky Linux

Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on Rocky Linux. Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is the Internet Protocol Security which uses strong cryptography to provide both authentication and encryption services and allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.

IKE manages the authentication between two communicating end points. It also enables endpoints to negotiate on algorithms to use to setup an IPsec tunnel.

In our previous guide, we covered how to install and configure IPSec VPN using StrongSwan on Ubuntu 18.04. See the link below;

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04

Setup IPSec VPN Server with Libreswan on Rocky Linux

There are different VPN Server-client implementations of Libreswan.

In this guide, we are going to learn how setup IPSec VPN server for the mobile clients (clients with dynamically assigned IPs such as laptops) here in known as road warriors, so that they can be able to connect to local LAN from anywhere. Mobile clients are authenticated using certificates and hence uses the IKEv2 protocol.

IKEv2 (Internet Key Exchange version 2) is a VPN encryption protocol that handles request and response actions. IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.

Run system Update

Update your system packages on the server to be used as Libreswan VPN server.

dnf update

Install Libreswan on Rocky Linux

Once the update is done, install Libreswan. Libreswan is available on Rocky Linux AppStream repos and hence, you can simply install using the package manager as follows;

dnf install libreswan

Running Libreswan

Once the installation is done, start and enable Libreswan ipsec service to run on system boot.

systemctl enable --now ipsec

Initialize IPSec NSS Database

Next, you need to initialize the Network Security Services (NSS) database. NSS database is used to store authentication keys and identity certificates.

ipsec initnss

If there is any previous database, you can remove it so that you can have a new database. The NSS database is stored under /etc/ipsec.d.

To remove any old databases, stop IPsec, if running and remove NSS databases by running the commands below;

systemctl stop ipsec

rm -rf /etc/ipsec.d/*db

You can then re-initialize the NSS database;

ipsec initnss

Then start IPSec;

systemctl start ipsec

Open Libreswan Ports and Protocols on Firewall

The IKE protocol uses UDP port 500 and 4500 while IPsec protocols, Encapsulated Security Payload (ESP) and Authenticated Header (AH) uses protocol number 50 and 51 respectively.

Hence, open these ports and protocols on your active firewall zone on your VPN (Left Endpoint) Server in this guide.

firewall-cmd --get-active-zone

To open the ports and firewall on the default firewalld zone;

firewall-cmd --add-port={4500,500}/udp --permanent

firewall-cmd --add-protocol={50,51} --permanent

Or you can simply use the IPSec service;

firewall-cmd --add-service=ipsec --permanent

Reload FirewallD

firewall-cmd --reload

Configure IPSec VPN Server with Libreswan

Libreswan doesn’t use the client-server model. It however uses the terms left and right to refer to endpoints involved in any given connection. The left/right terms can be used arbitrarily to refer to each system as long as you maintain consistency in using the terms while configuring your connections.

Enable IP Forwarding

On both the VPN server, you need to enable IP forwarding.

Run the command below to check if IP forwarding is enabled;

sysctl net.ipv4.ip_forward

If the output is net.ipv4.ip_forward = 0, then IP forwarding is disabled and you need to enable.

IP forwarding can be enabled by just enabling IP masquerading on firewalld.

firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

You can the verify IP forwarding;

cat /proc/sys/net/ipv4/ip_forward

A value of 1 means, IP forwarding is enabled.

Similarly. you can enable IP forwarding by running the commands below;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Refresh with the sysctl.conf with new configuration.

sysctl -p

Also, ensure that redirects are disabled.

less /etc/sysctl.d/50-libreswan.conf

# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0

Generate VPN Server and Client Certificates

Next, you need to generate the VPN server and clients certificates for use in authentication.

Create Certificates Generation Database

Run the command below to create a database that can be used to generate store a private key and CA certificate for use in generating hosts certificates. We will be using certutil command to generate the certificates.

mkdir /etc/ipsec.d/certsdb

certutil -N -d sql:/etc/ipsec.d/certsdb

The command prompts you to enter the password for encrypting your keys.

Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: StRONgPassw0Rd
Re-enter password: StRONgPassw0Rd

Generate CA Certificate

We use self signed certificates in this tutorial and hence, this is how we can generate our local CA certificate.

certutil -S -x -n "Kifarunix-demo CA" -s "O=Kifarunix-demo,CN=Kifarunix-demo CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d/certsdb -t "CT,," -2

Refer to man certutil to learn about the options used.

When the command runs, you will be first prompted to enter the password for encrypting keys you set above. Enter the password to proceed.

Next, you are required to generate random seed for use in creating of your keys by typing any keys on the keyboard until the progress meter is full. Once it is full, press enter to continue.

...
Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: ENTER

• Next, type y to specify that this is a CA certificate being generated.
• Press ENTER for the path length
• Enter n to specify that this is not a critical extension.

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > ENTER
Is this a critical extension [y/N]?
n

Generate the VPN Server Certificate

Next, generate the server certificate signed using the CA created above and assign extensions to it.

certutil -S -c "Kifarunix-demo CA" -n "vpn.kifarunix-demo.com" \
-s "O=Kifarunix-demo,CN=vpn.kifarunix-demo.com" -k rsa -g 4096 \
-v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "vpn.kifarunix-demo.com"

Similarly, enter the keys encryption password, generate the seed from the keyboard and press ENTER to continue.

Define the key and the key extension usage.

Generating key.  This may take a few moments...

		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 0
		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 2
		0 - Digital Signature
		1 - Non-repudiation
		2 - Key encipherment
		3 - Data encipherment
		4 - Key agreement
		5 - Cert signing key
		6 - CRL signing key
		Other to finish
 > 8

Is this a critical extension [y/N]?
n
		0 - Server Auth
		1 - Client Auth
		2 - Code Signing
		3 - Email Protection
		4 - Timestamp
		5 - OCSP Responder
		6 - Step-up
		7 - Microsoft Trust List Signing
		Other to finish
 > 0
		0 - Server Auth
		1 - Client Auth
		2 - Code Signing
		3 - Email Protection
		4 - Timestamp
		5 - OCSP Responder
		6 - Step-up
		7 - Microsoft Trust List Signing
		Other to finish
 > 8
Is this a critical extension [y/N]?
N

Generate the VPN Client Certificate (for the road warrior)

Run the command below to generate a VPN client certificate. Replace the name of the certificate (hostname used here) with the name of the host whose client certificate you are generating for;

certutil -S -c "Kifarunix-demo CA" -n "janedoe.kifarunix-demo.com" \
-s "O=Kifarunix-demo,CN=janedoe.kifarunix-demo.com" -k rsa -g 4096 \
-v 12 -d sql:/etc/ipsec.d/certsdb -t ",," -1 -6 -8 "janedoe.kifarunix-demo.com"

Similarly, enter the same options as above.

Listing the Available Certificates in the database

certutil -L -d sql:/etc/ipsec.d/certsdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Kifarunix-demo CA                                            CTu,u,u
vpn.kifarunix-demo.com                                       u,u,u
janedoe.kifarunix-demo.com                                   u,u,u
johndoe.kifarunix-demo.com                                   u,u,u

Export and import the gateway certificate into the pluto DB.

pk12util -o vpn.kifarunix-demo.com.p12 -n "vpn.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdb

You can skip the PKCS12 password.

ls

vpn.kifarunix-demo.com.p12

Once exported, Import the VPN server certificate to DB.

ipsec import vpn.kifarunix-demo.com.p12

Export the client host certificates, private key, and CA certificate. All these will be stored in a .p12 file as specified output file in the command below.

pk12util -o janedoe.kifarunix-demo.com.p12 -n "janedoe.kifarunix-demo.com" -d sql:/etc/ipsec.d/certsdb

Similarly, skip the PKCS12 password.

ls

janedoe.kifarunix-demo.com.p12 vpn.kifarunix-demo.com.p12

If you have generated certificates for other client hosts, you can as well export them.

Create IPSec VPN Endpoint Configuration file

On your IPSec VPN host, create a configuration file on /etc/ipsec.d directory for your mobile clients.

/etc/ipsec.conf is the default configuration file for Libreswan and it has a directive to include other configurations defined on /etc/ipsec.d directory.

vim /etc/ipsec.d/mobile-clients.conf

Put the following configurations on the file above.

conn roadwarriors
    left=vpn.kifarunix-demo.com
    leftsubnet=0.0.0.0/0
    leftcert=vpn.kifarunix-demo.com
    leftid=%fromcert
    leftrsasigkey=%cert
    leftsendcert=always
    right=%any
    rightaddresspool=10.0.8.10-10.0.8.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns="8.8.8.8,10.0.8.1"
    authby=rsasig
    auto=start
    dpddelay=60
    dpdtimeout=300
    dpdaction=clear
    mobike=yes
    ikev2=insist
    fragmentation=yes
    type=tunnel

Refer to man ipsec.conf for a comprehensive description of the options used above.

Verify the configuration file for any errors;

/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig

If there is no error, command exit with 0 status.

echo $?

Otherwise, any error is displayed on the standard output. Fix the errors before you can proceed.

Enable IPsec logging by uncommenting the line, #logfile=/var/log/pluto.log, on the /etc/ipsec.conf configuration.

config setup
        # Normally, pluto logs via syslog.
        logfile=/var/log/pluto.log
...

Verify IPsec Configuration

To confirm that the IPsec configuration is fine, simply run the command below;

ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 4.4 (netkey) on 4.18.0-348.20.1.el8_5.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]

Restart IPsec;

systemctl restart ipsec

Check status;

systemctl status ipsec

If ipsec fails to start, there must be a configuration syntax error. Run the command below to pinpoint the error.

journalctl -xe

Disable rp_filter for Libreswan and reload all Kernel configurations.

echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf

sysctl --system

You can also check the status using the command;

ipsec status

000 using kernel interface: xfrm
000  
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface enp0s3 UDP 10.0.2.15:4500
000 interface enp0s3 UDP 10.0.2.15:500
000 interface enp0s8 UDP 192.168.58.43:4500
000 interface enp0s8 UDP 192.168.58.43:500
000  
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=4.4, pluto_vendorid=OE-Libreswan-4.4, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
000 ocsp-trust-name=
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=
000 secctx-attr-type=32001
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, 
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "roadwarriors": 0.0.0.0/0===192.168.58.43[CN=vpn.kifarunix-demo.com, O=Kifarunix-demo,MS+S=C]...%any[+MC+S=C]; unrouted; eroute owner: #0
000 "roadwarriors":     oriented; my_ip=unset; their_ip=unset; mycert=vpn.kifarunix-demo.com; my_updown=ipsec _updown;
000 "roadwarriors":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "roadwarriors":   our auth:rsasig, their auth:rsasig
000 "roadwarriors":   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8,10.0.8.1, domains:unset, cat:unset;
000 "roadwarriors":   sec_label:unset;
000 "roadwarriors":   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'CN=Kifarunix-demo CA, O=Kifarunix-demo'
000 "roadwarriors":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "roadwarriors":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "roadwarriors":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "roadwarriors":   policy: IKEv2+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSASIG_v1_5;
000 "roadwarriors":   v2-auth-hash-policy: none;
000 "roadwarriors":   conn_prio: 0,0; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "roadwarriors":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "roadwarriors":   our idtype: ID_DER_ASN1_DN; our id=CN=vpn.kifarunix-demo.com, O=Kifarunix-demo; their idtype: %none; their id=(none)
000 "roadwarriors":   dpd: action:clear; delay:60; timeout:300; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "roadwarriors":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "roadwarriors":   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192
000 "roadwarriors":   ESP algorithms: AES_GCM_16_256-NONE, CHACHA20_POLY1305-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_CBC_128-HMAC_SHA1_96+HMAC_SHA2_256_128
000 "roadwarriors"[12]: 0.0.0.0/0===192.168.58.43[CN=vpn.kifarunix-demo.com, O=Kifarunix-demo,MS+S=C]...192.168.58.1[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]===10.0.8.10/32; erouted; eroute owner: #12
000 "roadwarriors"[12]:     oriented; my_ip=unset; their_ip=unset; mycert=vpn.kifarunix-demo.com; my_updown=ipsec _updown;
000 "roadwarriors"[12]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "roadwarriors"[12]:   our auth:rsasig, their auth:rsasig
000 "roadwarriors"[12]:   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, domains:unset, cat:unset;
000 "roadwarriors"[12]:   sec_label:unset;
000 "roadwarriors"[12]:   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'CN=Kifarunix-demo CA, O=Kifarunix-demo'
000 "roadwarriors"[12]:   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "roadwarriors"[12]:   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "roadwarriors"[12]:   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "roadwarriors"[12]:   policy: IKEv2+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSASIG_v1_5;
000 "roadwarriors"[12]:   v2-auth-hash-policy: none;
000 "roadwarriors"[12]:   conn_prio: 0,32; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "roadwarriors"[12]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "roadwarriors"[12]:   our idtype: ID_DER_ASN1_DN; our id=CN=vpn.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_DER_ASN1_DN; their id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo
000 "roadwarriors"[12]:   dpd: action:clear; delay:60; timeout:300; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "roadwarriors"[12]:   newest ISAKMP SA: #11; newest IPsec SA: #12; conn serial: $13, instantiated from: $1;
000 "roadwarriors"[12]:   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192
000 "roadwarriors"[12]:   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "roadwarriors"[12]:   ESP algorithms: AES_GCM_16_256-NONE, CHACHA20_POLY1305-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_CBC_128-HMAC_SHA1_96+HMAC_SHA2_256_128
000 "roadwarriors"[12]:   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=
000  
000 Total IPsec connections: loaded 2, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #11: "roadwarriors"[12] 192.168.58.1:35535 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 27977s; newest ISAKMP; idle;
000 #12: "roadwarriors"[12] 192.168.58.1:35535 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 27978s; newest IPSEC; eroute owner; isakmp#11; idle;
000 #12: "roadwarriors"[12] 192.168.58.1 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=410B ESPout=0B! ESPmax=0B 
000  
000 Bare Shunt list:
000

Copy VPN Client Certificates to your Mobile Clients

You can now copy the client certificates to your remote clients and connect to the VPN server.

See how to configure Libreswan IPSec VPN clients by following the link below;

Install and Configure Libreswan VPN Client on Ubuntu/Debian

That brings us to the end of our tutorial.

Further Reading/Reference

Libreswan Configuration Examples

Related Tutorials

Setup IPSec Site-to-Site VPN Tunnel on pfSense

Configure OpenVPN Clients to use specific DNS Server

Install WireGuard VPN Client on Rocky Linux/Ubuntu/Debian