Home
Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu
libreswan with windows 10 and pre-shared key

Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

August 5, 2020

Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

In this tutorial, LibreSwan will be installed on the Ubuntu Platform. LibreSwan is an open source implementation of the IPsec protocol, it is based on the FreeSwan project and is available as ready to use the package on RedHat based Linux distributions. However, detailed instructions are given in the source code of the project to compile it on other Linux platforms. After the installation process, a gateway to gateway based IPsec VPN will be configured to secure data from sender to receiver peers.

Details about the IPsec protocol are given in our previous article. However, a brief information about the two parts of the IPsec protocol with respect to LibreSwan is explained below.

An IPsec-based VPN consists of the Internet Keying Exchange protocol and the Encapsulating Security Payload (ESP) protocol.

–> IKE

As the name indicates, the purpose of the IKE protocol is to authenticate (using a preshared key, Public key cryptography, freeradius) peers of a VPN, to dynamically generate keys and to share the keys with the VPN peers. The encryption keys for the second phase of the IPsec do also dependend on IKE. Libreswan implements the IKE protocol using the pluto program of the project.

–> ESP

The ESP protocol is the actual specification of the peers agreed policy which is implemented in the Linux kernel (NETEY/XFRM) IPsec stack.

Libreswan features

  • Support for Pre-shared key based authentication.
  • Support for Public key based authentication.
  • Supports both IKE v1/v2 version of key exchange.
  • NSS crypto library supported.
  • Xauth and DNSSec are also supported.

Required Packages for Ubuntu 16.04

It is required to install the following packages on Ubuntu for successful compilation of LibreSwan. A brief information is also given in the source code how to enable or disable plugins/features and commands when you install LibreSwan.

requirements-1-2652650

apt-get -y update
apt-get install libunbound-dev libevent-dev libsystemd-dev libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools

required_packages1-8198428

The installation of required packages is shown below.

installation_of_packages-2460486

The latest source code of the IPsec tool is downloaded using wget command and extracted using the following tar command.

wget https://download.libreswan.org/libreswan-3.20.tar.gz

tar -xzf libreswan-3.20.tar.gz

cd libreswan-3.20

download_packages-5568405

There is no need to run the configure command, simply run the make command which will show two ways to build LibreSwan as shown below.

make_information-6574545

Finally, run make all command to build LibreSwan on the platform.

make all

make_all1-6036840

Now run make install command to install the IPsec program.

make_install-8076784

Starting the IPsec service

As shown in the above screenshot, it is required to enable the IPSec service on the Ubuntu platform using the following command.

systemctl enable ipsec.service

enabling_service-2505722

It is required to initialize the NSS crypto library before starting IPsec service. It is used by LibreSwan for cryptographic algorithm usage in IPsec VPN.

IPsec initnss

init_nss-7183975

Finally, start IPSec service using the following command.

ipsec setup start

ipsec_setup-3248968

Run ipsec status command to view the settings of LibreSwan on the Ubuntu platform.

ipsec status

ipsec_status-1-9546792

LibreSwan Configuration

In this tutorial, an IPsec VPN will be set up between peers using a preshared key and RSA keys (public/private keypair). The configuration of both peers (left/right) are given below.

Preshared key based VPN

ipsec.conf (configuration file of left VM) ipsec.secrets (configuration file of left VM)

version 2 192.168.15.145 192.168.15.245: PSK “vpn_psk123”

config setup
protostack=netkey
conn vpn_psk

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=secret
type=tunnel
auto=start

ipsec.conf (configuration file of right VM) ipsec.secrets (configuration file of right VM)

version 2 192.168.15.245 192.168.15.145: PSK “vpn_psk123”

config setup
protostack=netkey
conn vpn_psk

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=secret
type=tunnel
auto=start

After setting above configuration in the ipsec.conf and ipsec.secrets files, run the following command on both sides to start the IPSec negotiation process.

ipsec restart

Status of Preshared key VPN

The output of ipsec status and setkey -D commands are shown below.

ipsec status

ipsec-status-left-2338516

setkey -D

setkey_output-6924812

RSA (public/private) key based VPN

It is required to generate RSA keys for both machines and include them in the configuration file. The reduced version of an RSA key is shown in this tutorial. Also ensure that the included public key should be in single line.

Generation of RSA keys

As shown below, following commands are used to generate keys for both peers.

ipsec newhostkey –output /etc/ipsec.secrets

left-pub-key-3703476

The generated public key is added in the ipsec.secrets file as shown below.

ipsec-secrets-left-dev-2750100

Similarly, RSA keys are generated using the same command for the right side machine as shown in the following snapshot.

ipsec-secrets-right-dev-5790340

As shown above, key generation commands automatically includes the RSA public key in /etc/ipsec.secrets on both peer machines. The private key of RSA is stored in the database of NSS under /etc/ipsec.d/*.db files.

After generating RSA keys, next step changes configuration of both machines in ipsec.conf file.

ipsec.conf (configuration file of left VM)

version 2

config setup
protostack=netkey
conn vpn_rsa

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=rsasig
leftrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[……..]ALQNXUf$
rightrsasigkey=0sAQOs7aPh6LppUGgC454+W[……..]fSd2zQE
type=tunnel
auto=start

ipsec.conf (configuration file of right VM)

version 2

config setup
protostack=netkey
conn vpn_rsa

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=rsasig
rightrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[……..]ALQNXUf$
leftrsasigkey=0sAQOs7aPh6LppUGgC454+W[……..]fSd2zQE
type=tunnel
auto=start

After changing the LibreSwan configuration files, the next step is to restart the IPsec service on both machines using the following command.

ipsec restart

The status of the IPsec VPN on left device is shown in the following screenshot. It shows that RSASIG is used in the policy to authenticate the peers of IPsec tunnel.

lef-ipsec-status-5351801

The purpose of this tutorial is to explore “LibreSwan” which provides the IPsec protocol implementation. It is available in RedHat distributions, however it can be compiled for another platform such as Ubuntu/Debian easily. In this article, the first LibreSwan tool is built from source and then two VPN configured using preshared & RSA keys between the gateways devices.

Source

Tags: