{"id":12286,"date":"2022-04-14T21:46:00","date_gmt":"2022-04-14T18:46:00","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12286"},"modified":"2024-03-09T11:49:47","modified_gmt":"2024-03-09T08:49:47","slug":"setup-ipsec-vpn-server-with-libreswan-on-rocky-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-ipsec-vpn-server-with-libreswan-on-rocky-linux\/","title":{"rendered":"Setup IPSec VPN server with Libreswan on Rocky Linux"},"content":{"rendered":"\n

Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on Rocky Linux. Libreswan<\/a> is a free implementation of IKE\/IPsec for Linux. IPsec is the Internet Protocol Security which uses strong cryptography to provide both authentication and encryption services and allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.<\/p>\n\n\n\n

IKE manages the authentication between two communicating end points. It also enables endpoints to negotiate on algorithms to use to setup an IPsec tunnel.<\/p>\n\n\n\n

In our previous guide, we covered how to install and configure IPSec VPN using StrongSwan on Ubuntu 18.04. See the link below;<\/p>\n\n\n\n

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n

Setup IPSec VPN Server with Libreswan on Rocky Linux<\/h2>\n\n\n\n

There are different VPN Server-client implementations of Libreswan<\/a>.<\/p>\n\n\n\n

In this guide, we are going to learn how setup IPSec VPN server for the mobile clients (clients with dynamically assigned IPs such as laptops) here in known as road warriors<\/code><\/strong>, so that they can be able to connect to local LAN from anywhere. Mobile clients are authenticated using certificates and hence uses the IKEv2 protocol.<\/p>\n\n\n\n

IKEv2<\/strong> (Internet Key Exchange version 2) is a VPN encryption protocol that handles request and response actions. IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.<\/p>\n\n\n\n

Run system Update<\/h3>\n\n\n\n

Update your system packages on the server to be used as Libreswan VPN server.<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install Libreswan on Rocky Linux<\/h3>\n\n\n\n
Once the update is done, install Libreswan. Libreswan is available on Rocky Linux AppStream repos and hence, you can simply install using the package manager as follows;<\/p>\n\n\n\n
dnf install libreswan<\/code><\/pre>\n\n\n\n
Running Libreswan<\/h3>\n\n\n\n
Once the installation is done, start and enable Libreswan ipsec<\/strong><\/code> service to run on system boot.<\/p>\n\n\n\n
systemctl enable --now ipsec<\/code><\/pre>\n\n\n\n
Initialize IPSec NSS Database<\/h3>\n\n\n\n
Next, you need to initialize the Network Security Services (NSS) database. NSS database is used to store authentication keys and identity certificates.<\/p>\n\n\n\n
ipsec initnss<\/code><\/pre>\n\n\n\n
If there is any previous database, you can remove it so that you can have a new database. The NSS database is stored under \/etc\/ipsec.d<\/code>.<\/p>\n\n\n\n
To remove any old databases, stop IPsec, if running and remove NSS databases by running the commands below;<\/p>\n\n\n\n
systemctl stop ipsec<\/code><\/pre>\n\n\n\n
rm -rf \/etc\/ipsec.d\/*db<\/code><\/pre>\n\n\n\n
You can then re-initialize the NSS database;<\/p>\n\n\n\n
ipsec initnss<\/code><\/pre>\n\n\n\n
Then start IPSec;<\/p>\n\n\n\n
systemctl start ipsec<\/code><\/pre>\n\n\n\n
Open Libreswan Ports and Protocols on Firewall<\/h3>\n\n\n\n
The IKE<\/code> protocol uses UDP port 500<\/code> and 4500<\/code> while IPsec protocols, Encapsulated Security Payload<\/code> (ESP) and Authenticated Header<\/code> (AH) uses protocol number 50 and 51<\/code> respectively.<\/p>\n\n\n\n
Hence, open these ports and protocols on your active firewall zone on your VPN (Left Endpoint) Server<\/strong> in this guide.<\/p>\n\n\n\n
firewall-cmd --get-active-zone<\/code><\/pre>\n\n\n\n
To open the ports and firewall on the default firewalld zone;<\/p>\n\n\n\n
firewall-cmd --add-port={4500,500}\/udp --permanent<\/code><\/pre>\n\n\n\n
firewall-cmd --add-protocol={50,51} --permanent<\/code><\/pre>\n\n\n\n
Or you can simply use the IPSec service;<\/p>\n\n\n\n
firewall-cmd --add-service=ipsec --permanent<\/code><\/pre>\n\n\n\n
Reload FirewallD<\/p>\n\n\n\n
firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Configure IPSec VPN Server with Libreswan<\/h3>\n\n\n\n
Libreswan doesn’t use the client-server model. It however uses the terms left<\/code> and right<\/code> to refer to endpoints involved in any given connection. The left\/right terms can be used arbitrarily to refer to each system as long as you maintain consistency in using the terms while configuring your connections.<\/p>\n\n\n\n
Enable IP Forwarding<\/h3>\n\n\n\n
On both the VPN server<\/code><\/strong>, you need to enable IP forwarding.<\/p>\n\n\n\n
Run the command below to check if IP forwarding is enabled;<\/p>\n\n\n\n
sysctl net.ipv4.ip_forward<\/code><\/pre>\n\n\n\n
If the output is net.ipv4.ip_forward = 0<\/strong><\/code>, then IP forwarding is disabled and you need to enable.<\/p>\n\n\n\n
IP forwarding can be enabled by just enabling IP masquerading on firewalld.<\/p>\n\n\n\n
firewall-cmd --add-masquerade --permanent\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\n
You can the verify IP forwarding;<\/p>\n\n\n\n
cat \/proc\/sys\/net\/ipv4\/ip_forward<\/code><\/pre>\n\n\n\n
A value of 1 means, IP forwarding is enabled.<\/p>\n\n\n\n
Similarly. you can enable IP forwarding by running the commands below;<\/p>\n\n\n\n
echo \"net.ipv4.ip_forward = 1\" >> \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n
Refresh with the sysctl.conf with new configuration.<\/p>\n\n\n\n
sysctl -p<\/code><\/pre>\n\n\n\n
Also, ensure that redirects are disabled.<\/p>\n\n\n\n
less \/etc\/sysctl.d\/50-libreswan.conf<\/code><\/pre>\n\n\n\n
# We disable redirects for XFRM\/IPsec\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\n<\/code><\/pre>\n\n\n\n
Generate VPN Server and Client Certificates<\/h3>\n\n\n\n
Next, you need to generate the VPN server and clients certificates for use in authentication.<\/p>\n\n\n\n
Create Certificates Generation Database<\/h4>\n\n\n\n
Run the command below to create a database that can be used to generate store a private key and CA certificate for use in generating hosts certificates. We will be using certutil<\/strong><\/code> command to generate the certificates.<\/p>\n\n\n\n
mkdir \/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
certutil -N -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
The command prompts you to enter the password for encrypting your keys.<\/p>\n\n\n\n
Enter a password which will be used to encrypt your keys.\nThe password should be at least 8 characters long,\nand should contain at least one non-alphabetic character.\nEnter new password: StRONgPassw0Rd<\/strong>\nRe-enter password: StRONgPassw0Rd<\/strong>\n<\/code><\/pre>\n\n\n\n
Generate CA Certificate<\/h4>\n\n\n\n
We use self signed certificates in this tutorial and hence, this is how we can generate our local CA certificate.<\/p>\n\n\n\n
certutil -S -x -n \"Kifarunix-demo CA\" -s \"O=Kifarunix-demo,CN=Kifarunix-demo CA\" -k rsa -g 4096 -v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \"CT,,\" -2<\/code><\/pre>\n\n\n\n
Refer to man certutil<\/code> to learn about the options used.<\/strong><\/p>\n\n\n\n
When the command runs, you will be first prompted to enter the password for encrypting keys you set above. Enter the password to proceed.<\/p>\n\n\n\n
Next, you are required to generate random seed for use in creating of your keys by typing any keys on the keyboard until the progress meter is full. Once it is full, press enter to continue.<\/p>\n\n\n\n
...\nContinue typing until the progress meter is full:\n\n|************************************************************|\n\nFinished.  Press enter to continue: ENTER\n<\/code><\/pre>\n\n\n\n
    \n
  • Next, type y<\/strong> to specify that this is a CA certificate being generated.<\/li>\n\n\n\n
  • Press ENTER for the path length<\/li>\n\n\n\n
  • Enter n<\/strong> to specify that this is not a critical extension.<\/li>\n<\/ul>\n\n\n\n
    Generating key.  This may take a few moments...\n\nIs this a CA certificate [y\/N]?\ny<\/strong>\nEnter the path length constraint, enter to skip [<0 for unlimited path]: > ENTER<\/strong>\nIs this a critical extension [y\/N]?\nn<\/strong>\n<\/code><\/pre>\n\n\n\n
    Generate the VPN Server Certificate<\/h4>\n\n\n\n
     Next, generate the server certificate signed using the CA created above and assign extensions to it.<\/p>\n\n\n\n
    certutil -S -c \"Kifarunix-demo CA\" -n \"vpn.kifarunix-demo.com\" \\\n-s \"O=Kifarunix-demo,CN=vpn.kifarunix-demo.com\" -k rsa -g 4096 \\\n-v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \",,\" -1 -6 -8 \"vpn.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n
    Similarly, enter the keys encryption password, generate the seed from the keyboard and press ENTER to continue.<\/p>\n\n\n\n
    Define the key and the key extension usage.<\/p>\n\n\n\n
    Generating key.  This may take a few moments...\n\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 0\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 2\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 8\n<\/code><\/pre>\n\n\n\n
    Is this a critical extension [y\/N]?\nn\n\t\t0 - Server Auth\n\t\t1 - Client Auth\n\t\t2 - Code Signing\n\t\t3 - Email Protection\n\t\t4 - Timestamp\n\t\t5 - OCSP Responder\n\t\t6 - Step-up\n\t\t7 - Microsoft Trust List Signing\n\t\tOther to finish\n > 0\n\t\t0 - Server Auth\n\t\t1 - Client Auth\n\t\t2 - Code Signing\n\t\t3 - Email Protection\n\t\t4 - Timestamp\n\t\t5 - OCSP Responder\n\t\t6 - Step-up\n\t\t7 - Microsoft Trust List Signing\n\t\tOther to finish\n > 8\nIs this a critical extension [y\/N]?\nN\n<\/code><\/pre>\n\n\n\n
    Generate the VPN Client Certificate (for the road warrior)<\/h4>\n\n\n\n
    Run the command below to generate a VPN client certificate. Replace the name of the certificate (hostname used here) with the name of the host whose client certificate you are generating for;<\/p>\n\n\n\n
    certutil -S -c \"Kifarunix-demo CA\" -n \"janedoe.kifarunix-demo.com\" \\\n-s \"O=Kifarunix-demo,CN=janedoe.kifarunix-demo.com\" -k rsa -g 4096 \\\n-v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \",,\" -1 -6 -8 \"janedoe.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n
    Similarly, enter the same options as above.<\/p>\n\n\n\n
    Listing the Available Certificates in the database<\/p>\n\n\n\n
    certutil -L -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    Certificate Nickname                                         Trust Attributes\n                                                             SSL,S\/MIME,JAR\/XPI\n\nKifarunix-demo CA                                            CTu,u,u\nvpn.kifarunix-demo.com                                       u,u,u\njanedoe.kifarunix-demo.com                                   u,u,u\njohndoe.kifarunix-demo.com                                   u,u,u\n<\/code><\/pre>\n\n\n\n
    Export and import the gateway certificate into the pluto DB.<\/p>\n\n\n\n
    pk12util -o vpn.kifarunix-demo.com.p12 -n \"vpn.kifarunix-demo.com\" -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    You can skip the PKCS12 password.<\/strong><\/p>\n\n\n\n
    ls<\/code><\/pre>\n\n\n\n
    vpn.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
    Once exported, Import the VPN server certificate to DB.<\/p>\n\n\n\n
    ipsec import vpn.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
    Export the client host certificates, private key, and CA certificate. All these will be stored in a .p12 file as specified output file in the command below.<\/p>\n\n\n\n
    pk12util -o janedoe.kifarunix-demo.com.p12 -n \"janedoe.kifarunix-demo.com\" -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    Similarly, skip the PKCS12 password.<\/p>\n\n\n\n
    ls<\/code><\/pre>\n\n\n\n
    janedoe.kifarunix-demo.com.p12 vpn.kifarunix-demo.com.p12<\/strong><\/code><\/pre>\n\n\n\n
    If you have generated certificates for other client hosts, you can as well export them.<\/p>\n\n\n\n
    Create IPSec VPN Endpoint Configuration file<\/h3>\n\n\n\n
    On your IPSec VPN host, create a configuration file on \/etc\/ipsec.d<\/code><\/strong> directory for your mobile clients.<\/p>\n\n\n\n
    \/etc\/ipsec.conf<\/strong><\/code> is the default configuration file for Libreswan and it has a directive to include other configurations defined on \/etc\/ipsec.d<\/code><\/strong> directory.<\/p>\n\n\n\n
    vim \/etc\/ipsec.d\/mobile-clients.conf<\/code><\/pre>\n\n\n\n
    Put the following configurations on the file above.<\/p>\n\n\n\n
    \nconn roadwarriors\n    left=vpn.kifarunix-demo.com\n    leftsubnet=0.0.0.0\/0\n    leftcert=vpn.kifarunix-demo.com\n    leftid=%fromcert\n    leftrsasigkey=%cert\n    leftsendcert=always\n    right=%any\n    rightaddresspool=10.0.8.10-10.0.8.254\n    rightca=%same\n    rightrsasigkey=%cert\n    modecfgdns=\"8.8.8.8,10.0.8.1\"\n    authby=rsasig\n    auto=start\n    dpddelay=60\n    dpdtimeout=300\n    dpdaction=clear\n    mobike=yes\n    ikev2=insist\n    fragmentation=yes\n    type=tunnel\n<\/code><\/pre>\n\n\n\n
    Refer to man ipsec.conf<\/code> for a comprehensive description of the options used above.<\/strong><\/p>\n\n\n\n
    Verify the configuration file for any errors;<\/p>\n\n\n\n
    \/usr\/libexec\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig<\/code><\/pre>\n\n\n\n
    If there is no error, command exit with 0 status.<\/p>\n\n\n\n
    echo $?<\/code><\/pre>\n\n\n\n
    Otherwise, any error is displayed on the standard output. Fix the errors before you can proceed.<\/p>\n\n\n\n
    Enable IPsec logging by uncommenting the line, #logfile=\/var\/log\/pluto.log<\/strong><\/code>, on the \/etc\/ipsec.conf<\/strong><\/code> configuration.<\/p>\n\n\n\n
    config setup\n        # Normally, pluto logs via syslog.\n        logfile=\/var\/log\/pluto.log<\/strong>\n...<\/code><\/pre>\n\n\n\n
    Verify IPsec Configuration<\/h3>\n\n\n\n
    To confirm that the IPsec configuration is fine, simply run the command below;<\/p>\n\n\n\n
    ipsec verify<\/code><\/pre>\n\n\n\n
    \nVerifying installed system and configuration files\n\nVersion check and ipsec on-path                   \t[OK]\nLibreswan 4.4 (netkey) on 4.18.0-348.20.1.el8_5.x86_64\nChecking for IPsec support in kernel              \t[OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects              \t[OK]\n         ICMP default\/accept_redirects            \t[OK]\n         XFRM larval drop                         \t[OK]\nPluto ipsec.conf syntax                           \t[OK]\nChecking rp_filter                                \t[OK]\nChecking that pluto is running                    \t[OK]\n Pluto listening for IKE on udp 500               \t[OK]\n Pluto listening for IKE\/NAT-T on udp 4500        \t[OK]\n Pluto ipsec.secret syntax                        \t[OK]\nChecking 'ip' command                             \t[OK]\nChecking 'iptables' command                       \t[OK]\nChecking 'prelink' command does not interfere with FIPS\t[OK]\nChecking for obsolete ipsec.conf options          \t[OK]\n<\/code><\/pre>\n\n\n\n
    Restart IPsec;<\/p>\n\n\n\n
    systemctl restart ipsec<\/code><\/pre>\n\n\n\n
    Check status;<\/p>\n\n\n\n
    systemctl status ipsec<\/code><\/pre>\n\n\n\n
    If ipsec fails to start, there must be a configuration syntax error. Run the command below to pinpoint the error.<\/p>\n\n\n\n
    journalctl -xe<\/code><\/pre>\n\n\n\n
    Disable rp_filter for Libreswan and reload all Kernel configurations.<\/p>\n\n\n\n
    echo \"net.ipv4.conf.all.rp_filter = 0\" >> \/etc\/sysctl.d\/50-libreswan.conf<\/code><\/pre>\n\n\n\n
    sysctl --system<\/code><\/pre>\n\n\n\n
    You can also check the status using the command;<\/p>\n\n\n\n
    ipsec status<\/code><\/pre>\n\n\n\n
    \n000 using kernel interface: xfrm\n000  \n000 interface lo UDP [::1]:500\n000 interface lo UDP 127.0.0.1:4500\n000 interface lo UDP 127.0.0.1:500\n000 interface enp0s3 UDP 10.0.2.15:4500\n000 interface enp0s3 UDP 10.0.2.15:500\n000 interface enp0s8 UDP 192.168.58.43:4500\n000 interface enp0s8 UDP 192.168.58.43:500\n000  \n000 fips mode=disabled;\n000 SElinux=enabled\n000 seccomp=disabled\n000  \n000 config setup options:\n000  \n000 configdir=\/etc, configfile=\/etc\/ipsec.conf, secrets=\/etc\/ipsec.secrets, ipsecdir=\/etc\/ipsec.d\n000 nssdir=\/etc\/ipsec.d, dumpdir=\/run\/pluto, statsbin=unset\n000 dnssec-rootkey-file=\/var\/lib\/unbound\/root.key, dnssec-trusted=\n000 sbindir=\/usr\/sbin, libexecdir=\/usr\/libexec\/ipsec\n000 pluto_version=4.4, pluto_vendorid=OE-Libreswan-4.4, audit-log=yes\n000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s\n000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept\n000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=, nflog-all=0\n000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=\n000 ocsp-trust-name=\n000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get\n000 global-redirect=no, global-redirect-to=\n000 secctx-attr-type=32001\n000 debug:\n000  \n000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500\n000 virtual-private (%priv):\n000 - allowed subnets: 192.168.0.0\/16, 172.16.0.0\/12, 25.0.0.0\/8, 100.64.0.0\/10, fd00::\/8, fe80::\/10, \n000  \n000 Kernel algorithms supported:\n000  \n000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192\n000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256\n000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0\n000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256\n000 algorithm AH\/ESP auth: name=AES_CMAC_96, key-length=128\n000 algorithm AH\/ESP auth: name=AES_XCBC_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_MD5_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_SHA1_96, key-length=160\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_128, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_384_192, key-length=384\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_512_256, key-length=512\n000 algorithm AH\/ESP auth: name=NONE, key-length=0\n000  \n000 IKE algorithms supported:\n000  \n000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192\n000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256\n000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16\n000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20\n000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32\n000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48\n000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64\n000 algorithm IKE PRF: name=AES_XCBC, hashlen=16\n000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024\n000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536\n000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048\n000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072\n000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096\n000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144\n000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192\n000 algorithm IKE DH Key Exchange: name=DH19, bits=512\n000 algorithm IKE DH Key Exchange: name=DH20, bits=768\n000 algorithm IKE DH Key Exchange: name=DH21, bits=1056\n000 algorithm IKE DH Key Exchange: name=DH31, bits=256\n000  \n000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} \n000  \n000 Connection list:\n000  \n000 \"roadwarriors\": 0.0.0.0\/0===192.168.58.43[CN=vpn.kifarunix-demo.com, O=Kifarunix-demo,MS+S=C]...%any[+MC+S=C]; unrouted; eroute owner: #0\n000 \"roadwarriors\":     oriented; my_ip=unset; their_ip=unset; mycert=vpn.kifarunix-demo.com; my_updown=ipsec _updown;\n000 \"roadwarriors\":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]\n000 \"roadwarriors\":   our auth:rsasig, their auth:rsasig\n000 \"roadwarriors\":   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8,10.0.8.1, domains:unset, cat:unset;\n000 \"roadwarriors\":   sec_label:unset;\n000 \"roadwarriors\":   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'CN=Kifarunix-demo CA, O=Kifarunix-demo'\n000 \"roadwarriors\":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;\n000 \"roadwarriors\":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;\n000 \"roadwarriors\":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;\n000 \"roadwarriors\":   policy: IKEv2+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSASIG_v1_5;\n000 \"roadwarriors\":   v2-auth-hash-policy: none;\n000 \"roadwarriors\":   conn_prio: 0,0; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\n000 \"roadwarriors\":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;\n000 \"roadwarriors\":   our idtype: ID_DER_ASN1_DN; our id=CN=vpn.kifarunix-demo.com, O=Kifarunix-demo; their idtype: %none; their id=(none)\n000 \"roadwarriors\":   dpd: action:clear; delay:60; timeout:300; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both\n000 \"roadwarriors\":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;\n000 \"roadwarriors\":   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192\n000 \"roadwarriors\":   ESP algorithms: AES_GCM_16_256-NONE, CHACHA20_POLY1305-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_CBC_128-HMAC_SHA1_96+HMAC_SHA2_256_128\n000 \"roadwarriors\"[12]: 0.0.0.0\/0===192.168.58.43[CN=vpn.kifarunix-demo.com, O=Kifarunix-demo,MS+S=C]...192.168.58.1[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]===10.0.8.10\/32; erouted; eroute owner: #12\n000 \"roadwarriors\"[12]:     oriented; my_ip=unset; their_ip=unset; mycert=vpn.kifarunix-demo.com; my_updown=ipsec _updown;\n000 \"roadwarriors\"[12]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]\n000 \"roadwarriors\"[12]:   our auth:rsasig, their auth:rsasig\n000 \"roadwarriors\"[12]:   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, domains:unset, cat:unset;\n000 \"roadwarriors\"[12]:   sec_label:unset;\n000 \"roadwarriors\"[12]:   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'CN=Kifarunix-demo CA, O=Kifarunix-demo'\n000 \"roadwarriors\"[12]:   ike_life: 28800s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;\n000 \"roadwarriors\"[12]:   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;\n000 \"roadwarriors\"[12]:   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;\n000 \"roadwarriors\"[12]:   policy: IKEv2+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+MOBIKE+ESN_NO+RSASIG_v1_5;\n000 \"roadwarriors\"[12]:   v2-auth-hash-policy: none;\n000 \"roadwarriors\"[12]:   conn_prio: 0,32; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\n000 \"roadwarriors\"[12]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;\n000 \"roadwarriors\"[12]:   our idtype: ID_DER_ASN1_DN; our id=CN=vpn.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_DER_ASN1_DN; their id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo\n000 \"roadwarriors\"[12]:   dpd: action:clear; delay:60; timeout:300; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both\n000 \"roadwarriors\"[12]:   newest ISAKMP SA: #11; newest IPsec SA: #12; conn serial: $13, instantiated from: $1;\n000 \"roadwarriors\"[12]:   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, CHACHA20_POLY1305-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192, AES_CBC_128-HMAC_SHA2_256-DH19+DH20+DH21+MODP2048+MODP3072+MODP4096+MODP8192\n000 \"roadwarriors\"[12]:   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19\n000 \"roadwarriors\"[12]:   ESP algorithms: AES_GCM_16_256-NONE, CHACHA20_POLY1305-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_CBC_128-HMAC_SHA1_96+HMAC_SHA2_256_128\n000 \"roadwarriors\"[12]:   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=\n000  \n000 Total IPsec connections: loaded 2, active 1\n000  \n000 State Information: DDoS cookies not required, Accepting new IKE connections\n000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)\n000 IPsec SAs: total(1), authenticated(1), anonymous(0)\n000  \n000 #11: \"roadwarriors\"[12] 192.168.58.1:35535 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 27977s; newest ISAKMP; idle;\n000 #12: \"roadwarriors\"[12] 192.168.58.1:35535 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 27978s; newest IPSEC; eroute owner; isakmp#11; idle;\n000 #12: \"roadwarriors\"[12] 192.168.58.1 esp.f418dbb8@192.168.58.1 esp.882f7889@192.168.58.43 tun.0@192.168.58.1 tun.0@192.168.58.43 Traffic: ESPin=410B ESPout=0B! ESPmax=0B \n000  \n000 Bare Shunt list:\n000\n<\/code><\/pre>\n\n\n\n
    Copy VPN Client Certificates to your Mobile Clients<\/h3>\n\n\n\n
    You can now copy the client certificates to your remote clients <\/strong>and connect to the VPN server.<\/p>\n\n\n\n
    See how to configure Libreswan IPSec VPN clients by following the link below;<\/p>\n\n\n\n
    Install and Configure Libreswan VPN Client on Ubuntu\/Debian<\/a><\/p>\n\n\n\n
    That brings us to the end of our tutorial.<\/p>\n\n\n\n
    Further Reading\/Reference<\/h3>\n\n\n\n
    Libreswan Configuration Examples<\/a><\/p>\n\n\n\n
    Related Tutorials<\/h3>\n\n\n\n
    Setup IPSec Site-to-Site VPN Tunnel on pfSense<\/a><\/p>\n\n\n\n
    Configure OpenVPN Clients to use specific DNS Server<\/a><\/p>\n\n\n\n
    Install WireGuard VPN Client on Rocky Linux\/Ubuntu\/Debian<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on Rocky Linux. Libreswan is a free implementation of IKE\/IPsec for<\/p>\n","protected":false},"author":1,"featured_media":12280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,321],"tags":[4902,4906,1287,1716,4905,4907,4904,4903],"class_list":["post-12286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-vpn","tag-install-libreswan-on-rocky-linux","tag-ipsec-roadwarrior","tag-ipsec-vpn","tag-libreswan","tag-libreswan-ipsec-vpn","tag-libreswan-roadwarrior","tag-rocky-linux-libreswan","tag-setup-ipsec-vpn-with-libreswan-on-rocky-linux","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12286"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12286"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12286\/revisions"}],"predecessor-version":[{"id":20464,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12286\/revisions\/20464"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12280"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}