Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

In this tutorial, LibreSwan will be installed on the Ubuntu Platform. LibreSwan is an open source implementation of the IPsec protocol, it is based on the FreeSwan project and is available as ready to use the package on RedHat based Linux distributions. However, detailed instructions are given in the source code of the project to compile it on other Linux platforms. After the installation process, a gateway to gateway based IPsec VPN will be configured to secure data from sender to receiver peers.

Details about the IPsec protocol are given in our previous article. However, a brief information about the two parts of the IPsec protocol with respect to LibreSwan is explained below.

An IPsec-based VPN consists of the Internet Keying Exchange protocol and the Encapsulating Security Payload (ESP) protocol.

-->   IKE

As the name indicates, the purpose of the IKE protocol is to authenticate (using a preshared key, Public key cryptography, freeradius) peers of a VPN, to dynamically generate keys and to share the keys with the VPN peers. The encryption keys for the second phase of the IPsec do also dependend on IKE. Libreswan implements the IKE protocol using the pluto program of the project.

-->   ESP

The ESP protocol is the actual specification of the peers agreed policy which is implemented in the Linux kernel (NETEY/XFRM) IPsec stack.

Libreswan features

  • Support for Pre-shared key based authentication.
  • Support for Public key based authentication.
  • Supports both IKE v1/v2 version of key exchange.
  • NSS crypto library supported.
  • Xauth and DNSSec are also supported.

Required Packages for Ubuntu 16.04

It is required to install the following packages on Ubuntu for successful compilation of LibreSwan.  A brief information is also given in the source code how to enable or disable plugins/features and commands when you install LibreSwan.

Compile LibreSwan

apt-get -y update
apt-get install  libunbound-dev libevent-dev  libsystemd-dev libnss3-dev libnspr4-dev pkg-config \ libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools

Install LibreSwan dependencies on Ubuntu

The installation of required packages is shown below.

Install dependencies

The latest source code of the IPsec tool is downloaded using wget command and extracted using the following tar command.

wget https://download.libreswan.org/libreswan-3.20.tar.gz

tar -xzf libreswan-3.20.tar.gz

cd libreswan-3.20

Download and unpack LibreSwan

There is no need to run the configure command, simply run the make command which will show two ways to build LibreSwan as shown below.

Run make command on LibreSwan

Finally, run make all command to build LibreSwan on the platform.

make all

Run make all

Now run make install command to install the IPsec program.

Run make install

Starting the IPsec service

As shown in the above screenshot, it is required to enable the IPSec service on the Ubuntu platform using the following command.

systemctl enable ipsec.service

Enable IPSec service

It is required to initialize the NSS crypto library before starting IPsec service. It is used by LibreSwan for cryptographic algorithm usage in IPsec VPN.

IPsec initnss

Initialize NSS crypto

Finally, start IPSec service using the following command.

ipsec setup start

Start IPSec setup

Run ipsec status command to view the settings of LibreSwan on the Ubuntu platform.

ipsec status

ipsec status

LibreSwan Configuration

In this tutorial, an IPsec VPN will be set up between peers using a preshared key and RSA keys (public/private keypair). The configuration of both peers (left/right) are given below.

Preshared key based VPN

ipsec.conf (configuration file of left VM)              ipsec.secrets  (configuration file of left VM)

version 2                                                                              192.168.15.145 192.168.15.245: PSK "vpn_psk123"

config setup                                                         
                 protostack=netkey
conn vpn_psk

                  ike=aes256-sha256;modp4096
                  phase2alg=aes256-sha256;modp4096
                  left=192.168.15.145
                  leftsubnet=172.16.10.0/24
                  right=192.168.15.245
                  rightsubnet=192.169.50.0/24
                  authby=secret
                  type=tunnel
                  auto=start

ipsec.conf (configuration file of right VM)              ipsec.secrets  (configuration file of right VM)

version 2                                                                              192.168.15.245 192.168.15.145: PSK "vpn_psk123"

config setup                                                         
                 protostack=netkey
conn vpn_psk

         ike=aes256-sha256;modp4096
         phase2alg=aes256-sha256;modp4096
         left=192.168.15.245
         leftsubnet=192.169.50.0/24
         right=192.168.15.145
         rightsubnet=172.16.10.0/24
         authby=secret
         type=tunnel
         auto=start

After setting above configuration in the ipsec.conf and ipsec.secrets files, run the following command on both sides to start the IPSec negotiation process.

ipsec restart

Status of Preshared key VPN

The output of ipsec status and setkey -D commands are shown below.

ipsec status

ipsec status

setkey -D

setkey

RSA (public/private) key based VPN

It is required to generate  RSA keys for both machines and include them in the configuration file. The reduced version of an RSA key is shown in this tutorial. Also ensure that the included public key should be in single line.

Generation of RSA keys

As shown below, following commands are used to generate keys for both peers.

 ipsec newhostkey --output /etc/ipsec.secrets

 Generate RSA key

The generated public key is added in the ipsec.secrets file as shown below.

Add pubkey to ipsec secrets

Similarly, RSA keys are generated using the same command for the right side machine as shown in the following snapshot.

Generate rsa keys

As shown above, key generation commands automatically includes the RSA public key in /etc/ipsec.secrets on both peer machines.  The private key of RSA is stored in the database of NSS under  /etc/ipsec.d/*.db files.

After generating RSA keys, next step changes configuration of both machines in ipsec.conf file.

ipsec.conf (configuration file of left VM)            

version 2                                                                             

config setup                                                         
                 protostack=netkey
conn vpn_rsa

                  ike=aes256-sha256;modp4096
                  phase2alg=aes256-sha256;modp4096
                  left=192.168.15.145
                  leftsubnet=172.16.10.0/24
                  right=192.168.15.245
                  rightsubnet=192.169.50.0/24
                  authby=rsasig
                  leftrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[........]ALQNXUf$
                  rightrsasigkey=0sAQOs7aPh6LppUGgC454+W[........]fSd2zQE

                  type=tunnel
                  auto=start

ipsec.conf (configuration file of right VM)             

version 2                                                                             

config setup                                                         
                 protostack=netkey
conn vpn_rsa

         ike=aes256-sha256;modp4096
         phase2alg=aes256-sha256;modp4096
         left=192.168.15.245
         leftsubnet=192.169.50.0/24
         right=192.168.15.145
         rightsubnet=172.16.10.0/24
         authby=rsasig
         rightrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[........]ALQNXUf$
         leftrsasigkey=0sAQOs7aPh6LppUGgC454+W[........]fSd2zQE

         type=tunnel
         auto=start

After changing the LibreSwan configuration files, the next step is to restart the IPsec service on both machines using the following command.

ipsec restart

The status of the IPsec VPN on left device is shown in the following screenshot. It shows that RSASIG is used in the policy to authenticate the peers of IPsec tunnel.

The purpose of this tutorial is to explore "LibreSwan" which provides the IPsec protocol implementation. It is available in RedHat distributions, however it can be compiled for another platform such as Ubuntu/Debian easily. In this article, the first LibreSwan tool is built from source and then two VPN configured using preshared & RSA keys between the gateways devices.

Share this page:

Suggested articles

1 Comment(s)

Add comment

Comments

From: Whit at: 2017-08-25 20:15:54

libreswan also requires libldns-dev