Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

In this tutorial, LibreSwan will be installed on the Ubuntu Platform. LibreSwan is an open source implementation of the IPsec protocol, it is based on the FreeSwan project and is available as ready to use the package on RedHat based Linux distributions. However, detailed instructions are given in the source code of the project to compile it on other Linux platforms. After the installation process, a gateway to gateway based IPsec VPN will be configured to secure data from sender to receiver peers.

Details about the IPsec protocol are given in our previous article. However, a brief information about the two parts of the IPsec protocol with respect to LibreSwan is explained below.

An IPsec-based VPN consists of the Internet Keying Exchange protocol and the Encapsulating Security Payload (ESP) protocol.

–> IKE

As the name indicates, the purpose of the IKE protocol is to authenticate (using a preshared key, Public key cryptography, freeradius) peers of a VPN, to dynamically generate keys and to share the keys with the VPN peers. The encryption keys for the second phase of the IPsec do also dependend on IKE. Libreswan implements the IKE protocol using the pluto program of the project.

–> ESP

The ESP protocol is the actual specification of the peers agreed policy which is implemented in the Linux kernel (NETEY/XFRM) IPsec stack.

Libreswan features

  • Support for Pre-shared key based authentication.
  • Support for Public key based authentication.
  • Supports both IKE v1/v2 version of key exchange.
  • NSS crypto library supported.
  • Xauth and DNSSec are also supported.

Required Packages for Ubuntu 16.04

It is required to install the following packages on Ubuntu for successful compilation of LibreSwan. A brief information is also given in the source code how to enable or disable plugins/features and commands when you install LibreSwan.

Compile LibreSwan

apt-get -y update
apt-get install libunbound-dev libevent-dev libsystemd-dev libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make libnss3-tools

Install LibreSwan dependencies on Ubuntu

The installation of required packages is shown below.

Install dependencies

The latest source code of the IPsec tool is downloaded using wget command and extracted using the following tar command.

wget https://download.libreswan.org/libreswan-3.20.tar.gz

tar -xzf libreswan-3.20.tar.gz

cd libreswan-3.20

Download and unpack LibreSwan

There is no need to run the configure command, simply run the make command which will show two ways to build LibreSwan as shown below.

Run make command on LibreSwan

Finally, run make all command to build LibreSwan on the platform.

make all

Run make all

Now run make install command to install the IPsec program.

Run make install

Starting the IPsec service

As shown in the above screenshot, it is required to enable the IPSec service on the Ubuntu platform using the following command.

systemctl enable ipsec.service

Enable IPSec service

It is required to initialize the NSS crypto library before starting IPsec service. It is used by LibreSwan for cryptographic algorithm usage in IPsec VPN.

IPsec initnss

Initialize NSS crypto

Finally, start IPSec service using the following command.

ipsec setup start

Start IPSec setup

Run ipsec status command to view the settings of LibreSwan on the Ubuntu platform.

ipsec status

ipsec status

LibreSwan Configuration

In this tutorial, an IPsec VPN will be set up between peers using a preshared key and RSA keys (public/private keypair). The configuration of both peers (left/right) are given below.

Preshared key based VPN

ipsec.conf (configuration file of left VM) ipsec.secrets (configuration file of left VM)

version 2 192.168.15.145 192.168.15.245: PSK “vpn_psk123”

config setup
protostack=netkey
conn vpn_psk

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=secret
type=tunnel
auto=start

ipsec.conf (configuration file of right VM) ipsec.secrets (configuration file of right VM)

version 2 192.168.15.245 192.168.15.145: PSK “vpn_psk123”

config setup
protostack=netkey
conn vpn_psk

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=secret
type=tunnel
auto=start

After setting above configuration in the ipsec.conf and ipsec.secrets files, run the following command on both sides to start the IPSec negotiation process.

ipsec restart

Status of Preshared key VPN

The output of ipsec status and setkey -D commands are shown below.

ipsec status

ipsec status

setkey -D

setkey

RSA (public/private) key based VPN

It is required to generate RSA keys for both machines and include them in the configuration file. The reduced version of an RSA key is shown in this tutorial. Also ensure that the included public key should be in single line.

Generation of RSA keys

As shown below, following commands are used to generate keys for both peers.

ipsec newhostkey –output /etc/ipsec.secrets

Generate RSA key

The generated public key is added in the ipsec.secrets file as shown below.

Add pubkey to ipsec secrets

Similarly, RSA keys are generated using the same command for the right side machine as shown in the following snapshot.

Generate rsa keys

As shown above, key generation commands automatically includes the RSA public key in /etc/ipsec.secrets on both peer machines. The private key of RSA is stored in the database of NSS under /etc/ipsec.d/*.db files.

After generating RSA keys, next step changes configuration of both machines in ipsec.conf file.

ipsec.conf (configuration file of left VM)

version 2

config setup
protostack=netkey
conn vpn_rsa

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.145
leftsubnet=172.16.10.0/24
right=192.168.15.245
rightsubnet=192.169.50.0/24
authby=rsasig
leftrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[……..]ALQNXUf$
rightrsasigkey=0sAQOs7aPh6LppUGgC454+W[……..]fSd2zQE

type=tunnel
auto=start

ipsec.conf (configuration file of right VM)

version 2

config setup
protostack=netkey
conn vpn_rsa

ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
left=192.168.15.245
leftsubnet=192.169.50.0/24
right=192.168.15.145
rightsubnet=172.16.10.0/24
authby=rsasig
rightrsasigkey=0sAQPgMUjAb8QOQaJ1FTkIQf3f[……..]ALQNXUf$
leftrsasigkey=0sAQOs7aPh6LppUGgC454+W[……..]fSd2zQE

type=tunnel
auto=start

After changing the LibreSwan configuration files, the next step is to restart the IPsec service on both machines using the following command.

ipsec restart

The status of the IPsec VPN on left device is shown in the following screenshot. It shows that RSASIG is used in the policy to authenticate the peers of IPsec tunnel.

The purpose of this tutorial is to explore “LibreSwan” which provides the IPsec protocol implementation. It is available in RedHat distributions, however it can be compiled for another platform such as Ubuntu/Debian easily. In this article, the first LibreSwan tool is built from source and then two VPN configured using preshared & RSA keys between the gateways devices.

Source

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.