Red Hat

Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020

Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between…

Libreswan IPSec on Red Hat

Today on this tutorial I will show how to configure Libreswan IPSec Host to Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.

The benefits of IP Sec are Confidentiality, Integrity and Authentication and we can get these over IPv4 or IPv6.

We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.

Before apply this configuration check our other manual on How to Setup generate IPSec RSA Keys on Linux.

Install Libreswan package

To install libreswan package on Red hat 8 run:

yum install libreswan

Init Libreswan NSS Database

Start the NSS Database, this database will store the RSA private Keys :

ipsec initnss
ipsec initnss --nssdir /etc/ipsec.d

Generate IPSec RSA Keys on both Hosts

To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.

Run on IPSec Left Host

Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.poplab.pt
ipsec service

Extract the RSA Public Key from Left Host and add them to the configuration file.

ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'
Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020 13

Run on Right IPSec Host

Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets  --hostname right.poplab.pt

Extract the RSA Public Key from Right Host and add them to the configuration file.

ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'

Create Libreswan IPSec configuration file

Now let’s create the libreswan configuration IPsec connection file, create a new file located at /etc/ipsec.d/

vi /etc/ipsec.d/ipsec_certnotes.conf
Free Tutorial Libreswan IPSec Host-To-Host with RSA Keys 2020 14
conn cert_notes_vms
     #Left Host Config Settings
     leftid=@left.poplab.pt
     left=192.168.1.213
     leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
     #Right Host Config Settings
     rightid=@right.certificationsnotes.com
     right=192.168.1.216
     rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
     #General Configs
     auto=start
     authby=rsasig
     compress=yes
     #Phase 1 ISAKMP IKE (Internet Key Exchange)
     type=tunnel
     pfs=yes
     ikev2=insist
     ikepad=yes
     #Phase 2 Encryption Negotiation 
     phase2=esp
     ppk=no
     esn=no

Manage Libreswan IPSec Service

Start the IP Sec service

systemctl start ipsec

Enable the IP Sec service on boot

systemctl enable ipsec

Reload IP Sec service after a configuration

systemctl reload ipsec

Configure Red Hat 8 Firewall to Allow IPSec

As we know the IP Sec tunnels use two protocols to establish and authenticate the secure tunnels, we need to allow them on our firewall.

Before that check your interfaces and associated zones to allow on tunnel at the correct zone.

firewall-cmd --get-active-zone 

Allow ISAKMP & IKE SA ports on the Firewall – Phase 1

firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent

Allow IPSec SA & Child SA protocols on the Firewall – Phase 2

firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent

Activate Red Hat IPSec Tunnel

ipsec auto --add cert_notes_vms
ipsec auto --up cert_notes_vms
systemctl reload ipsec

Testing the IPSec Encrypted Communication

Let’s ping the Right Host and check if it is encrypted.

ping 192.168.1.216
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500

Now we will verify the IPSec connection status and parameters.

ipsec whack --status

Verify Public Keys on Host

If we need to validate all IPSec RSA Keys run the command:

ipsec auto --listpubkeys
ipsec showhostkey --list

RFCs Related to IPSec

  • The IP Security Architecture – RFC 4301
  • Defines Authentication Headers (AH) – RFC 4302
  • Defines Encapsulating Security Payloads (ESP) – RFC 4303
  • ISAKMP – RFC 2408
  • IKEv2 – RFC 5996
  • Cryptographic algorithm Implementation for ESP and AH – RFC 4835

LibresWan Website

Red Hat

nmcli command

Mr. SynMan

Recent Posts

Linux Device Management: Free Guide

Understand UDEV Folder /dev Understand D-BUS Device Commands List devices on PCI BUS lspci List devices on USB BUS lsusb…

6 months ago

Linux Pseudo File Systems: Free Guide

A pseudo file system does not exist on a physical hard disk,is created by the Kernel and only runs all…

6 months ago

Working with Kernel Modules

LPIC1 Category - 101.1 Determine and configure hardware settings uname command display information about the running Kernel. uname Display a…

6 months ago

Understand Linux ACLs

Linux ACLs can control the filesystem features and flags for each file or folder. Introducing ACLs in Linux ACLs Kernel…

10 months ago

How to Install Power DNS Red Hat Free

Learn how to Install Power DNS on Red Hat 7 using a command line. Configure your DNS Authoritive server and…

1 year ago

BIOS Interrupt Vector Table

BIOS Processor Instructions INTAddressTypeFunction Description00h0000:0000hProcessorDivide Error01h0000:0004hProcessorSingle Step02h0000:0008hProcessorNon-maskable interrupt03h0000:000ChProcessorBreakpoint instruction04h0000:0010hProcessorOverflow instruction05h0000:0014hBIOS ProcessorPrint screen Bound range exceeded06h0000:0018hProcessorInvalid opcode07h0000:001ChProcessorCoprocessor not available08h0000:0020hHardware ProcessorIRQ 0…

1 year ago