Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between…
Table of Contents
Libreswan IPSec on Red Hat
Today on this tutorial I will show how to configure Libreswan IPSec Host to Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.
The benefits of IP Sec are Confidentiality, Integrity and Authentication and we can get these over IPv4 or IPv6.
We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.
Before apply this configuration check our other manual on How to Setup generate IPSec RSA Keys on Linux.
Install Libreswan package
To install libreswan package on Red hat 8 run:
yum install libreswan
Init Libreswan NSS Database
Start the NSS Database, this database will store the RSA private Keys :
ipsec initnss --nssdir /etc/ipsec.dGenerate IPSec RSA Keys on both Hosts
To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.
Run on IPSec Left Host
Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.poplab.pt
Extract the RSA Public Key from Left Host and add them to the configuration file.
ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'
Run on Right IPSec Host
Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.
ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname right.poplab.ptExtract the RSA Public Key from Right Host and add them to the configuration file.
ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'
Create Libreswan IPSec configuration file
Now let’s create the libreswan configuration IPsec connection file, create a new file located at /etc/ipsec.d/
vi /etc/ipsec.d/ipsec_certnotes.conf
conn cert_notes_vms
#Left Host Config Settings
leftid=@left.poplab.pt
left=192.168.1.213
leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
#Right Host Config Settings
rightid=@right.certificationsnotes.com
right=192.168.1.216
rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
#General Configs
auto=start
authby=rsasig
compress=yes
#Phase 1 ISAKMP IKE (Internet Key Exchange)
type=tunnel
pfs=yes
ikev2=insist
ikepad=yes
#Phase 2 Encryption Negotiation
phase2=esp
ppk=no
esn=noManage Libreswan IPSec Service
Start the IP Sec service
systemctl start ipsecEnable the IP Sec service on boot
systemctl enable ipsecReload IP Sec service after a configuration
systemctl reload ipsecConfigure Red Hat 8 Firewall to Allow IPSec
As we know the IP Sec tunnels use two protocols to establish and authenticate the secure tunnels, we need to allow them on our firewall.
Before that check your interfaces and associated zones to allow on tunnel at the correct zone.
firewall-cmd --get-active-zone 
Allow ISAKMP & IKE SA ports on the Firewall – Phase 1
firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanentAllow IPSec SA & Child SA protocols on the Firewall – Phase 2
firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent
Activate Red Hat IPSec Tunnel
ipsec auto --add cert_notes_vmsipsec auto --up cert_notes_vmssystemctl reload ipsecTesting the IPSec Encrypted Communication
Let’s ping the Right Host and check if it is encrypted.
ping 192.168.1.216
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500
Now we will verify the IPSec connection status and parameters.
ipsec whack --status
Verify Public Keys on Host
If we need to validate all IPSec RSA Keys run the command:
ipsec auto --listpubkeysipsec showhostkey --listRFCs Related to IPSec
- The IP Security Architecture – RFC 4301
- Defines Authentication Headers (AH) – RFC 4302
- Defines Encapsulating Security Payloads (ESP) – RFC 4303
- ISAKMP – RFC 2408
- IKEv2 – RFC 5996
- Cryptographic algorithm Implementation for ESP and AH – RFC 4835
Red Hat
1 Comment
Easily Understand Linux Boot Process in 2020 - PopLab · November 25, 2020 at 1:53 am
[…] Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020 […]