Tutorial Libreswan IPSec Host-To-Host with RSA Keys
Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between…
Today on this tutorial I will show how to configure Libreswan IPSec Host to Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.
The benefits of IP Sec are Confidentiality, Integrity and Authentication and we can get these over IPv4 or IPv6.
We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.
Before apply this configuration check our other manual on How to Setup generate IPSec RSA Keys on Linux.
To install libreswan package on Red hat 8 run:
yum install libreswan
Start the NSS Database, this database will store the RSA private Keys :
ipsec initnss --nssdir /etc/ipsec.d
To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.
Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.poplab.pt
Extract the RSA Public Key from Left Host and add them to the configuration file.
ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'
Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname right.poplab.pt
Extract the RSA Public Key from Right Host and add them to the configuration file.
ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'
Now let’s create the libreswan configuration IPsec connection file, create a new file located at /etc/ipsec.d/
vi /etc/ipsec.d/ipsec_certnotes.conf
conn cert_notes_vms
#Left Host Config Settings
leftid=@left.poplab.pt
left=192.168.1.213
leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
#Right Host Config Settings
rightid=@right.certificationsnotes.com
right=192.168.1.216
rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
#General Configs
auto=start
authby=rsasig
compress=yes
#Phase 1 ISAKMP IKE (Internet Key Exchange)
type=tunnel
pfs=yes
ikev2=insist
ikepad=yes
#Phase 2 Encryption Negotiation
phase2=esp
ppk=no
esn=no
Manage Libreswan IPSec Service
Start the IP Sec service
systemctl start ipsec
Enable the IP Sec service on boot
systemctl enable ipsec
Reload IP Sec service after a configuration
systemctl reload ipsec
Configure Red Hat 8 Firewall to Allow IPSec
As we know the IP Sec tunnels use two protocols to establish and authenticate the secure tunnels, we need to allow them on our firewall.
Before that check your interfaces and associated zones to allow on tunnel at the correct zone.
firewall-cmd --get-active-zone
Allow ISAKMP & IKE SA ports on the Firewall – Phase 1
firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent
Allow IPSec SA & Child SA protocols on the Firewall – Phase 2
firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent
ipsec auto --add cert_notes_vms
ipsec auto --up cert_notes_vms
systemctl reload ipsec
Testing the IPSec Encrypted Communication
Let’s ping the Right Host and check if it is encrypted.
ping 192.168.1.216
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500
Now we will verify the IPSec connection status and parameters.
ipsec whack --status
If we need to validate all IPSec RSA Keys run the command:
ipsec auto --listpubkeys
ipsec showhostkey --list
Red Hat
Understand UDEV Folder /dev Understand D-BUS Device Commands List devices on PCI BUS lspci List devices on USB BUS lsusb…
A pseudo file system does not exist on a physical hard disk,is created by the Kernel and only runs all…
LPIC1 Category - 101.1 Determine and configure hardware settings uname command display information about the running Kernel. uname Display a…
Linux ACLs can control the filesystem features and flags for each file or folder. Introducing ACLs in Linux ACLs Kernel…
Learn how to Install Power DNS on Red Hat 7 using a command line. Configure your DNS Authoritive server and…
BIOS Processor Instructions INTAddressTypeFunction Description00h0000:0000hProcessorDivide Error01h0000:0004hProcessorSingle Step02h0000:0008hProcessorNon-maskable interrupt03h0000:000ChProcessorBreakpoint instruction04h0000:0010hProcessorOverflow instruction05h0000:0014hBIOS ProcessorPrint screen Bound range exceeded06h0000:0018hProcessorInvalid opcode07h0000:001ChProcessorCoprocessor not available08h0000:0020hHardware ProcessorIRQ 0…