3 Configuring a VPN by Using Libreswan

Libreswan is the software that implements VPN by using the IPsec protocol and the Internet Key Exchange (IKE) standards.

Installing Libreswan

To configure an IPsec VPN with Libreswan, download the package as follows:

  1. Ensure that the AppStream repository is enabled.
  2. Install Libreswan. 
    sudo dnf install -y libreswan
  3. Start ipsec as a persistent service. 
    sudo systemctl enable ipsec --now
  4. Add the ipsec service to the firewall service. 
    sudo firewall-cmd --add-service="ipsec"
sudo firewall-cmd --runtime-to-permanent

Configuring IPsec VPN

VPN configurations range from basic setups such as one between hosts to complex ones that involve entire sites.

Creating a Host to Host Connection

Regardless of the types of VPN connections that you want to configure, a common but important step involves obtaining RSA keys that would enable connections between endpoints.

On a host-to-host connection, for example, do the following:

  1. Generate an RSA key pair by running the following command. 
    sudo ipsec newhostkey
    Generated RSA key pair with CKAID 6e6e724aa180b071128632dc09c7d2b25a852d7e was stored in the NSS database

    The command generates an RSA key pair with a specific ckaid value.

    You must run the command on both hosts.

  2. On the first host, display the leftrsasigkey key.

    Note:

    Typically in libreswan, the left designation refers to the local host, while the right designation refers to the remote host. However, because both hosts are peers, the designations can be used interchangeably. 

    sudo ipsec showhostkey --list

    From the output, identify the ckaid, for example, 6e6e724aa180b071128632dc09c7d2b25a852d7e and use it to display the leftrsasigkey key, as follows: 

    sudo ipsec showhostkey --left --ckaid 6e6e724aa180b071128632dc09c7d2b25a852d7e
      # rsakey AwEAAaxdf
  leftrsasigkey=0sAwEAAaxdfaCPrZ72pAm1kjvhAQHHLn3Wg3gAu1Z0U+3FWeh7FN+bHtfy
...
9f8=
  3. On the second host, display the rightrsasigkey key. 
    sudo ipsec showhostkey --list

    From the output, identify the ckaid, for example, 5dddc2334515702c3a605bc00daed1e44e18767d and use it to display the rightrsasigkey key, as follows: 

    ipsec showhostkey --right --ckaid 5dddc2334515702c3a605bc00daed1e44e18767d
      # rsakey AwEAAb1nC
  rightrsasigkey=0sAwEAAdSSYrNO2QOY8RXgLlJZilBokPb9cFzCbU+VYY7eFcoZMmVWPVI
...
zu+/7BE5kjXHAAI1fvYha+CFbuh6KYAlpoHvX81ALusfQs+6wwTsde5jlfcrXNlqX
  4. On each host, create a configuration file in /etc/ipsec.d, for example, host2host.conf, with the following entries: 
    conn tunnel-name
    leftid=@host1-tunnel-id
    left=host1-IPaddress
    leftrsasigkey=host1-leftrsasigkey
    rightid=@host2-tunnel-id
    right=host2-IPaddress
    rightrsasigkey=host2-rightrsasigkey
    authby=rsasig

    For more information about the configuration file and other parameters you can set, see the ipsec.conf(5) manual page.

  5. Restart the IPsec service.
    sudo systemctl restart ipsec
  6. Start libreswan. 
    sudo ipsec setup start
  7. Load the VPN tunnel connection.
    sudo ipsec auto --add tunnel-name
  8. Establish the tunnel connection. 
    sudo ipsec auto --up tunnel-name
  9. Start the tunnel automatically when the ipsec service is started by adding the following line to the configuration file: 
    auto=start

Creating a Site to Site Connection

A VPN connection between sites means that a connection is established between two networks. When you configure a pair of hosts for this type of connection, the hosts effectively become gateways through which traffic can enter or exit to access other hosts in the network.

To configure a site to site VPN, a configured host to host VPN must already be existing and operational as described in Creating a Host to Host Connection.

Note:

You can configure a Site-to-Site VPN between your on-premises network and an Oracle Cloud Infrastructure virtual cloud network (VCN) using Libreswan. Steps for setting up a Site-to-Site VPN to OCI are described in the Libreswan Oracle Cloud Infrastructure documentation.

To proceed with configuring a connection between sites, follow these steps:

  1. Create a copy of the host to host configuration file to serve as the configuration file for the site to site connection, for example: 
    sudo cp /etc/ipsec.d/host2host.conf /etc/ipsec.d/site2site.conf

    Copies must exist on both hosts.

  2. Edit the new configuration file by adding subnet information, for example: 
    conn subnet-name
  also=tunnel-name
  leftsubnet=subnet1-IP
  rightsubnet=subnet2-IP
  auto=start

host connection information...

    Note:

    The subnets can be in CIDR notation.

Verifying the Status of VPN Services

To check if the ipsec service is running, type this command: 

sudo systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor prese>
   Active: active (running) since Mon 2021-04-26 02:27:39 PDT; 7h ago
     Docs: man:ipsec(8)
           man:pluto(8)
           man:ipsec.conf(5)
...

To test the tunnel connections, install the tcpdump utility to monitor network traffic.

Run the following command on one of the peers to monitor traffic explicitly on the interface. The utility tracks Encapsulated Security Payload (ESP) packets and traffic traversing the UDP ports 500 and 4500 that are used by the ipsec service: 

tcpdump -n -i interface esp or udp port 500 or udp port 4500
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on interface, link-type EN10MB (Ethernet), capture size 262144 bytes
10:05:53.578884 IP 10.147.25.195 > 10.147.25.196: ESP(spi=0xcba1dd78,seq=0x2325), length 96
10:05:53.579353 IP 10.147.25.196 > 10.147.25.195: ESP(spi=0x979dcdbe,seq=0x2325), length 124
10:05:56.585128 IP 10.147.25.195 > 10.147.25.196: ESP(spi=0xcba1dd78,seq=0x2326), length 96
10:05:56.585527 IP 10.147.25.196 > 10.147.25.195: ESP(spi=0x979dcdbe,seq=0x2326), length 124
...

The utility first reports traffic that's generated by the peers exchanging keys.

While the tcpdump is running, go to the other peer and perform a network operation, such as a network ping, to the first host. The host that's monitoring the traffic would report network activity over the VPN from the second peer.

Press Ctrl+C to end the operations on both peers.

To check the IPSec security policies and rules that are present in the kernel, run the following commands:

  • sudo ip xfrm policy

    The ip xfrm policy command displays information on security policies present in the kernel. Security policies determine which network traffic is to be transformed and protected by IPSec. See the ip-xfrm(8) manual page for more information.

  • sudo ip xfrm state

    The ip xfrm state command displays information on security associations present in the kernel. Security associations consist of parameters that determine, for example, the way the traffic is to be encrypted and authenticated. See the ip-xfrm(8) manual page for more information.