In this tutorial, LibreSwan will be installed on the Ubuntu Platform. LibreSwan is an open source implementation of the IPsec protocol, it is based on the FreeSwan project and is available as ready to use the package on RedHat based Linux distributions. However, detailed instructions are given in the source code of the project to compile it on other Linux platforms. After the installation process, a gateway to gateway based IPsec VPN will be configured to secure data from sender to receiver peers.
Details about the IPsec protocol are given in our previous article. However, a brief information about the two parts of the IPsec protocol with respect to LibreSwan is explained below.
An IPsec-based VPN consists of the Internet Keying Exchange protocol and the Encapsulating Security Payload (ESP) protocol.
--> IKE
As the name indicates, the purpose of the IKE protocol is to authenticate (using a preshared key, Public key cryptography, freeradius) peers of a VPN, to dynamically generate keys and to share the keys with the VPN peers. The encryption keys for the second phase of the IPsec do also dependend on IKE. Libreswan implements the IKE protocol using the pluto program of the project.
--> ESP
The ESP protocol is the actual specification of the peers agreed policy which is implemented in the Linux kernel (NETEY/XFRM) IPsec stack.
Libreswan features
- Support for Pre-shared key based authentication.
- Support for Public key based authentication.
- Supports both IKE v1/v2 version of key exchange.
- NSS crypto library supported.
- Xauth and DNSSec are also supported.
Required Packages for Ubuntu 16.04
It is required to install the following packages on Ubuntu for successful compilation of LibreSwan. A brief information is also given in the source code how to enable or disable plugins/features and commands when you install LibreSwan.
apt-get -y update
apt-get install libunbound-dev libevent-dev libsystemd-dev libnss3-dev libnspr4-dev pkg-config \ libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools
The installation of required packages is shown below.
The latest source code of the IPsec tool is downloaded using wget command and extracted using the following tar command.
wget https://download.libreswan.org/libreswan-3.20.tar.gz
tar -xzf libreswan-3.20.tar.gz
cd libreswan-3.20
There is no need to run the configure command, simply run the make command which will show two ways to build LibreSwan as shown below.
Finally, run make all command to build LibreSwan on the platform.
make all
Now run make install command to install the IPsec program.
Starting the IPsec service
As shown in the above screenshot, it is required to enable the IPSec service on the Ubuntu platform using the following command.
systemctl enable ipsec.service
It is required to initialize the NSS crypto library before starting IPsec service. It is used by LibreSwan for cryptographic algorithm usage in IPsec VPN.
IPsec initnss
Finally, start IPSec service using the following command.
ipsec setup start
Run ipsec status command to view the settings of LibreSwan on the Ubuntu platform.
ipsec status
LibreSwan Configuration
In this tutorial, an IPsec VPN will be set up between peers using a preshared key and RSA keys (public/private keypair). The configuration of both peers (left/right) are given below.
Preshared key based VPN
ipsec.conf (configuration file of left VM) ipsec.secrets (configuration file of left VM)
version 2 192.168.15.145 192.168.15.245: PSK "vpn_psk123"
config setup
protostack=netkey
conn vpn_psk
ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=secret
type=tunnel
auto=start
ipsec.conf (configuration file of right VM) ipsec.secrets (configuration file of right VM)
version 2 192.168.15.245 192.168.15.145: PSK "vpn_psk123"
config setup
protostack=netkey
conn vpn_psk
ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=secret
type=tunnel
auto=start
After setting above configuration in the ipsec.conf and ipsec.secrets files, run the following command on both sides to start the IPSec negotiation process.
ipsec restart
Status of Preshared key VPN
The output of ipsec status and setkey -D commands are shown below.
ipsec status
setkey -D
RSA (public/private) key based VPN
It is required to generate RSA keys for both machines and include them in the configuration file. The reduced version of an RSA key is shown in this tutorial. Also ensure that the included public key should be in single line.
Generation of RSA keys
As shown below, following commands are used to generate keys for both peers.
ipsec newhostkey --output /etc/ipsec.secrets
The generated public key is added in the ipsec.secrets file as shown below.
Similarly, RSA keys are generated using the same command for the right side machine as shown in the following snapshot.
As shown above, key generation commands automatically includes the RSA public key in /etc/ipsec.secrets on both peer machines. The private key of RSA is stored in the database of NSS under /etc/ipsec.d/*.db files.
After generating RSA keys, next step changes configuration of both machines in ipsec.conf file.
ipsec.conf (configuration file of left VM)
version 2
config setup
protostack=netkey
conn vpn_rsa
ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=rsasig
leftrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[........]ALQNXUf$
rightrsasigkey=0sAQOs7aPh6LppUGgC454+W[........]fSd2zQE
type=tunnel
auto=start
ipsec.conf (configuration file of right VM)
version 2
config setup
protostack=netkey
conn vpn_rsa
ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=rsasig
rightrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[........]ALQNXUf$
leftrsasigkey=0sAQOs7aPh6LppUGgC454+W[........]fSd2zQE
type=tunnel
auto=start
After changing the LibreSwan configuration files, the next step is to restart the IPsec service on both machines using the following command.
ipsec restart
The status of the IPsec VPN on left device is shown in the following screenshot. It shows that RSASIG is used in the policy to authenticate the peers of IPsec tunnel.
The purpose of this tutorial is to explore "LibreSwan" which provides the IPsec protocol implementation. It is available in RedHat distributions, however it can be compiled for another platform such as Ubuntu/Debian easily. In this article, the first LibreSwan tool is built from source and then two VPN configured using preshared & RSA keys between the gateways devices.