Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020

Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between…

Libreswan IPSec on Red Hat

Today on this tutorial I will show how to configure Libreswan IPSec Host to Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.

The benefits of IP Sec are Confidentiality, Integrity and Authentication and we can get these over IPv4 or IPv6.

We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.

Before apply this configuration check our other manual on How to Setup generate IPSec RSA Keys on Linux.

Install Libreswan package

To install libreswan package on Red hat 8 run:

yum install libreswan
Install Libreswan Red Hat 1

Init Libreswan NSS Database

Start the NSS Database, this database will store the RSA private Keys :

Libreswan IPSec
ipsec initnss
ipsec initnss --nssdir /etc/ipsec.d

Generate IPSec RSA Keys on both Hosts

To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.

Run on IPSec Left Host

Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.poplab.pt
IPSec Generate Left RSA Key
ipsec service

Extract the RSA Public Key from Left Host and add them to the configuration file.

ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'
IPSec Left RSA Key
Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020 13

Run on Right IPSec Host

Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.

ipsec
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets  --hostname right.poplab.pt

Extract the RSA Public Key from Right Host and add them to the configuration file.

ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'
IPSec Right RSA Key

Create Libreswan IPSec configuration file

Now let’s create the libreswan configuration IPsec connection file, create a new file located at /etc/ipsec.d/

vi /etc/ipsec.d/ipsec_certnotes.conf
Install Libreswan Red Hat Tunnel Configuration File
Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020 14
conn cert_notes_vms
     #Left Host Config Settings
     [email protected]
     left=192.168.1.213
     leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
     #Right Host Config Settings
     [email protected]
     right=192.168.1.216
     rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
     #General Configs
     auto=start
     authby=rsasig
     compress=yes
     #Phase 1 ISAKMP IKE (Internet Key Exchange)
     type=tunnel
     pfs=yes
     ikev2=insist
     ikepad=yes
     #Phase 2 Encryption Negotiation 
     phase2=esp
     ppk=no
     esn=no

Manage Libreswan IPSec Service

Start the IP Sec service

systemctl start ipsec

Enable the IP Sec service on boot

systemctl enable ipsec

Reload IP Sec service after a configuration

systemctl reload ipsec

Configure Red Hat 8 Firewall to Allow IPSec

As we know the IP Sec tunnels use two protocols to establish and authenticate the secure tunnels, we need to allow them on our firewall.

Before that check your interfaces and associated zones to allow on tunnel at the correct zone.

firewall-cmd --get-active-zone 
IPSec Get Firewall Active Zones 1

Allow ISAKMP & IKE SA ports on the Firewall – Phase 1

firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent

Allow IPSec SA & Child SA protocols on the Firewall – Phase 2

firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent
IPSec Add Firewall Rullez 1

Activate Red Hat IPSec Tunnel

ipsec auto --add cert_notes_vms
ipsec auto --up cert_notes_vms
systemctl reload ipsec

Testing the IPSec Encrypted Communication

Let’s ping the Right Host and check if it is encrypted.

ping 192.168.1.216
Ping Right Host
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500
IPSec Tcpdump On Right Host 1

Now we will verify the IPSec connection status and parameters.

ipsec whack --status
IPSec Whack Status 1

Verify Public Keys on Host

If we need to validate all IPSec RSA Keys run the command:

ipsec auto --listpubkeys
ipsec showhostkey --list

RFCs Related to IPSec

  • The IP Security Architecture – RFC 4301
  • Defines Authentication Headers (AH) – RFC 4302
  • Defines Encapsulating Security Payloads (ESP) – RFC 4303
  • ISAKMP – RFC 2408
  • IKEv2 – RFC 5996
  • Cryptographic algorithm Implementation for ESP and AH – RFC 4835

LibresWan Website

Red Hat

nmcli command

1 thought on “Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020”

  1. Pingback: Easily Understand Linux Boot Process in 2020 - PopLab

Leave a Reply

Your email address will not be published. Required fields are marked *