Libreswan IPSec Host-To-Host with RSA Keys
Posted in: Red Hat, Blog, IP Sec, Protocols

Libreswan IPSec Host-To-Host with RSA Keys

Avatar of Mr. SynMan Written by Mr. SynMan Leave a Comment on Libreswan IPSec Host-To-Host with RSA Keys

Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between…

Libreswan IPSec on Red Hat

Today in this tutorial I will show how to configure Libreswan IPSec Host-to-Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.

The benefits of IP Sec are Confidentiality, Integrity, and Authentication and we can get these over IPv4 or IPv6.

We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.

Before applying this configuration check our other manual on How to Setup generates IPSec RSA Keys on Linux.

Install Libreswan package

To install libreswan package on Red hat 8 run:

yum install libreswan

Init Libreswan NSS Database

Start the NSS Database, this database will store the RSA private Keys :

ipsec initnss --nssdir /etc/ipsec.d

Generate IPSec RSA Keys on both Hosts

To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.

Run on IPSec Left Host

Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.poplab.pt

Extract the RSA Public Key from Left Host and add them to the configuration file.

ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'

Run on Right IPSec Host

Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets  --hostname right.poplab.pt

Extract the RSA Public Key from Right Host and add them to the configuration file.

ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'

Create IPSec VPN configuration file

Now let’s create the libreswan configuration IPsec connection file, create a new file located at /etc/ipsec.d/

vi /etc/ipsec.d/ipsec_certnotes.conf
conn cert_notes_vms
     #Left Host Config Settings
     leftid=@left.poplab.pt
     left=192.168.1.213
     leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
     #Right Host Config Settings
     rightid=@right.certificationsnotes.com
     right=192.168.1.216
     rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
     #General Configs
     auto=start
     authby=rsasig
     compress=yes
     #Phase 1 ISAKMP IKE (Internet Key Exchange)
     type=tunnel
     pfs=yes
     ikev2=insist
     ikepad=yes
     #Phase 2 Encryption Negotiation 
     phase2=esp
     ppk=no
     esn=no

Manage Libreswan IPSec Service

Start the IP Sec service

systemctl start ipsec

Enable the IP Sec service on boot

systemctl enable ipsec

Reload IP Sec service after a configuration

systemctl reload ipsec

Configure Red Hat 8 Firewall to Allow IPSec

As we know the IP Sec tunnels use two protocols to establish and authenticate the secure tunnels, we need to allow them on our firewall.

Before that check your interfaces and associated zones to allow on tunnel at the correct zone.

firewall-cmd --get-active-zone

Allow ISAKMP & IKE SA ports on the Firewall – Phase 1

firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent

Allow IPSec SA & Child SA protocols on the Firewall – Phase 2

firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent

Activate Red Hat IPSec Tunnel

ipsec auto --add cert_notes_vms
ipsec auto --up cert_notes_vms
systemctl reload ipsec

Testing the IPSec Encrypted Communication

Let’s ping the Right Host and check if it is encrypted.

ping 192.168.1.216
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500

Now we will verify the IPSec connection status and parameters.

ipsec whack --status

Verify Public Keys on Host

If we need to validate all IPSec RSA Keys run the command:

ipsec auto --listpubkeys
ipsec showhostkey --list

RFCs Related to IPSec

  • The IP Security Architecture – RFC 4301
  • Defines Authentication Headers (AH) – RFC 4302
  • Defines Encapsulating Security Payloads (ESP) – RFC 4303
  • ISAKMP – RFC 2408
  • IKEv2 – RFC 5996
  • Cryptographic algorithm Implementation for ESP and AH – RFC 4835

LibresWan Website

Red Hat

nmcli command

Back to Top