IPSec Configuration in Rhel 7 - Securing VPNs using Libreswan

Leave a Comment
This post describes the procedures to install and configure IPSec on Rhel 7.x. IPSec is available for both IPv4 and IPv6 address versions.

In Rhel7 , Virtual Private Network (VPN) can be configured using the Ipsec protocol that can be configured using libreswan 

Prerequisite :

Ensure that Yum repository is configured in the system. The package of the libreswan can be found in Rhel / Centos  iso dvd.

Below are the steps to configure IPSec using libreswan on RHEL 7

1.    Login to the system as root user (to both the nodes) using ssh protocol, if not already logged in.

2.    Install the libreswan package with all its dependencies for IPsec from YUM repository:

yum install libreswan -y

3.    IPsec configurations are stored inside /etc/ipsec.d/ directory and /etc/ipsec.conf file
Generate a public/private key pair for RSA-based authentication on both the Nodes that are being configured for IPsec.
Run the following commands one-by-one on both the Target nodes, that are node1 and node2:

a.    Generate the certificate for IPsec configuration:
certutil -N -d /etc/ipsec.d/
On <password> prompt, keep pressing Enter key until command exit.
The following is the sample output:

Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Password changed successfully.

b.    Generate the IPsec database and set of public and private certificates inside /etc/ipsec.d/ and adds the key entries in /etc/ipsec.secrets file:
rm -f /etc/ipsec.secrets
ipsec newhostkey --output /etc/ipsec.secrets --bits 2192 --random /dev/urandom --configdir /etc/ipsec.d/


Note:  Ignore the warning message related to RSA key size (if appears).

Make a note of the public key from /etc/ipsec.secrets using following command:
grep "#pubkey=" /etc/ipsec.secrets
The public key is used for IPsec configuration.

4.    Ensure that the public key has been generated on both the nodes and available with the installation personnel.

5.    Check and uncomment the following entry in /etc/ipsec.conf file on both the Target nodes.
include /etc/ipsec.d/*.conf

6.    Create a new file (if not already exist) on any of the Target nodes /etc/ipsec.d/nodes_details_ipsec.conf and append the following lines after updating the parameter values with correct entries:

Note:  Ensure proper indentation for entries in /etc/ipsec.d/nodes_details_ipsec.conf file and maintained otherwise IPsec services will fail to start.

vi /etc/ipsec.d/nodes_details_ipsec.conf
conn nodes_ipv4
     left=<node1_ip>
     leftrsasigkey=<public_key_of_node1>
     leftnexthop=%defaultroute
     right=<node2_ip>
     rightrsasigkey=<public_key_of_node2>
     rightnexthop=%defaultroute
     auto=start

In case IPSec is to be configured for IPv6 along with IPv4, append the file /etc/ipsec.d/nodes_details_ipsec.conf with below lines after updating the parameter values with correct entries:


conn nodes_v6
     connaddrfamily=ipv6
     left=<node1_ipv6>
     leftrsasigkey=<public_key_of_node1>
     leftnexthop=%defaultroute
     right=<node2_ipv6>
     rightrsasigkey=<public_key_of_node2>
     rightnexthop=%defaultroute
     auto=start
Save the files after making required configuration.

7.    After update transfer the /etc/ipsec.d/nodes_details_ipsec.conf file to another node on same PATH.

8.    Start/Restart the IPsec service using the following commands:

systemctl enable ipsec
systemctl restart ipsec
To verify IPsec services, execute the following command:
systemctl status ipsec


To test if IPSec is configured properly, run below command:

The "ipsec whack --trafficstatus" command shows the tunnels that are currently established

Sample Output

[root@techbuzz ~]# ipsec whack --trafficstatus
006 #4: "mm18_nodes", type=ESP, add_time=1535366781, inBytes=84, outBytes=84, id='10.62.241.51'

006 #3: "mm18_nodes_v6", type=ESP, add_time=1535366781, inBytes=104, outBytes=104, id='2001:1a60:81b7:1258:10:62:241:56'



0 comments:

Post a Comment