Monday, 4 May 2015

IPSec VPN (public key authentication) using Libreswan in RHEL7

In Public key authentication, the hosts are manually configured with each other's public key.  Authentication is based on  the hosts having their private key. The hosts should have their private key to authenticate each other.
The use of public key authentication is recommended over  PSK authentication. In a PSK system a major issue is the secure distribution of the PSK to remote hosts. This problem doesnot occur in public key authentication as the public key is not secret and can be distributed without any fear.      

Consider 2 hosts:
An IPSec VPN tunnel will be established between these 2 hosts.
On both the machines, run the following commands:
 1) Install package
       yum -y install libreswan

2) Open firewall ports. 500/udp, protocol=esp
     firewall-cmd --zone=public --add-port=500/udp --permanent
     firewall-cmd --add-rich-rule='rule protocol value="esp" accept' --permanent
     firewall-cmd --reload

3) Generate RSA key pair      
    ipsec  newhostkey  --configdir  /etc/ipsec.d  --output  /etc/ipsec.d/oserver.secrets

4) Edit the file '/etc/ipsec.conf' and uncomment the below line
     include /etc/ipsec.d/*.conf

On the host "Left" , run the following command
    ipsec showhostkey --left >

On the host "Right"
1) run the following command
     ipsec showhostkey --right >

2) copy the file '' to the Left host.(

On the host "Left"
1) Create the file '/etc/ipsec.d/oserver.conf' and add the following entries.
      conn myconn
           leftrsasigkey=0sAQO86qaScc1wsNN6G7 [...]
           rightrsasigkey=0sAQPFZNZ1/OPvK8Gcl1iktCK [...]

     Note: 1) Copy the leftrsasigkey from the file '' by using vi editor's read file command. :r Similarly copy rightrsasigkey from the file '' by using the command :r
Copy paste from the terminal can lead to extra newlines, carriage returns which can corrupt the key.     
 2) Remember to maintain indentation as shown above. Also don't leave any blank lines in between the entries.

2) copy the file '/etc/ipsec.d/oserver.conf' to the Right host.(

On both the hosts, Start the service
       systemctl start ipsec

On any one machine, run the following commands:
1) Establish  the connection.      ipsec auto --up myconn
2) View Status
      ipsec auto --status

No comments:

Post a Comment