RedHat 8 – Configure Libreswan IP Sec Host-To-Host with RSA Keys

Learn how to configure Libreswan IPSec tunnels on Red Hat 8 System using RSA Keys to secure the communications between two Red Hat Hosts. Red Hat Security.

Libreswan IPSec on Red Hat

Today on this tutorial I will show how to configure Libreswan IP Sec Host to Host connection between two Red Hat Hosts using RSA Keys with 4096 bits of encryption.

The benefits of IPSec are Confidentiality, Integrity and Authentication and we can get these over IPv4 or IPv6.

We are using ESP for encapsulating the Payloads and IKEv2 for tunnel Key management.

Before apply this configuration check our other manual on How to Setup

IPSec Libreswan Host-To-Host with RSA Keys

Install Libreswan package

To install libreswan package on Red hat 8 run:

yum install libreswan
Red Hat Libreswan Package
Red Hat Libreswan Package

Init Libreswan NSS Database

Start the NSS Database, this database will store the RSA private Keys :

ipsec initnss --nssdir /etc/ipsec.d
Init Libreswan NSS Database
Init NSS IPSec Database

Generate IP Sec RSA Keys on both Hosts

To encrypt the connection between the two Hosts they need to know each other RSA Public Keys generate them and add them to the configuration file.

Run on IP Sec Left Host

Generate the RSA Private and Public Keys on the Left Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will be stored on *.db files from NSS Database.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets --hostname left.certificationsnotes.com
IPSec RSA Left Key Generation
IPSec RSA Left Key Generation – CKAID Value

Extract the RSA Public Key from Left Host and add them to the configuration file.

ipsec showhostkey --left --ckaid 1a7b98222db9598f4f238e7308465cd2cc5c5c60 | grep 'leftrsasigkey'
IPSec RSA Key Generated using Left CKAID Value
IPSec RSA Public Key Generated using Left CKAID Value

Run on Right IP Sec Host

Generate the RSA Private and Public Keys on the Right Host, the certnotes.secrets file will store the RSA Public Key and RSA Private Key will stored on *.db files.

ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/certnotes.secrets  --hostname right.certificationsnotes.com
IPSec RSA Right Key Generation - CKAID Value
IPSec RSA Right Key Generation – CKAID Value

Extract the RSA Public Key from Right Host and add them to the configuration file.

ipsec showhostkey --right --ckaid 48da57a02c21ac0ac8a2fada14d82c203ee0a034 | grep 'rightrsasigkey'
IPSec RSA Key Generated using Right CKAID Value
IPSec RSA Public Key Generated using Right CKAID Value

Create Libreswan IP Sec configuration file

Now lets configure the Libreswan IP sec connection file, create a new file located at /etc/ipsec.d/

vi /etc/ipsec.d/ipsec_certnotes.conf
Install Libreswan Red Hat Tunnel Configuration File
Install Libreswan Red Hat Tunnel Configuration File
conn cert_notes_vms
     #Left Host Config Settings
     [email protected]left.certificationsnotes.com
     left=192.168.1.213
     leftrsasigkey=0sAwE6PHOmHg[...]tEE1KvoK6fSIgzUuFnGw==
     #Right Host Config Settings
     [email protected]right.certificationsnotes.com
     right=192.168.1.216
     rightrsasigkey=0sAwvo1KvoKK6fSEAA[..]B6P1KvoKHfdgabNQ==
     #General Configs
     auto=start
     authby=rsasig
     compress=yes
     #Phase 1 ISAKMP IKE (Internet Key Exchange)
     type=tunnel
     pfs=yes
     ikev2=insist
     ikepad=yes
     #Phase 2 Encryption Negotiation 
     phase2=esp
     ppk=no
     esn=no

Manage IPSec Service

Start the IP Sec service

systemctl start ipsec

Enable the IP Sec service on boot

systemctl enable ipsec

Reload IP Sec service after a configuration

systemctl reload ipsec

Configure Red Hat 8 Firewall to Allow IPSec

IPSec Get Firewall Active Zones
IPSec Get Firewall Active Zones

As we know the IP Sec tunnels use two protocols to establish and authenticat the secure tunnels, we need to allow them on our firewall.

Before that check your interfaces and associated zones to allow on tunnel at the correct zone.

firewall-cmd --get-active-zone 
IPSec Add Firewall Rullez
IPSec Add Firewall Rullez

Allow ISAKMP & IKE SA ports on the Firewall – Phase 1

firewall-cmd --zone=public --add-port=500/udp --permanent
firewall-cmd --zone=public --add-port=4500/udp --permanent

Allow IPSec SA & Child SA protocols on the Firewall – Phase 2

firewall-cmd --zone=public --add-protocol=50 --permanent
firewall-cmd --zone=public --add-protocol=51 --permanent

Activate Red Hat IP Sec Tunnel

ipsec auto --add cert_notes_vms
ipsec auto --up cert_notes_vms
systemctl reload ipsec

Testing the IP Sec Encrypted Communication

Let’s ping the Right Host and check if it is encrypted.

ping 192.168.1.216
Testing the IPSec Encrypted Communication
Testing the IPSec Encrypted Communication
sudo tcpdump -n -i enp0s3 esp or udp port 500 or udp port 4500
IPSec Tcpdump On Right Host
IPSec Tcpdump On Right Host
ipsec whack --status
IPSec Whack Status
IPSec Whack Status

Verify Public Keys on Host

ipsec auto --listpubkeys
Show IPSec Public keys on Host
Show IPSec Public keys on Host
ipsec showhostkey --list

RFCs Related to IPSec

  • The IP Security Architecture – RFC 4301
  • Defines Authentication Headers (AH) – RFC 4302
  • Defines Encapsulating Security Payloads (ESP) – RFC 4303
  • ISAKMP – RFC 2408
  • IKEv2 – RFC 5996
  • Cryptographic algorithm Implementation for ESP and AH – RFC 4835

LibresWan Website

Red Hat

Leave a Reply