{"id":12291,"date":"2022-04-15T11:04:56","date_gmt":"2022-04-15T08:04:56","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12291"},"modified":"2022-04-15T11:05:00","modified_gmt":"2022-04-15T08:05:00","slug":"install-and-configure-libreswan-vpn-client-on-ubuntu-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-libreswan-vpn-client-on-ubuntu-debian\/","title":{"rendered":"Install and Configure Libreswan VPN Client on Ubuntu\/Debian"},"content":{"rendered":"\n

In this tutorial, you will learn how to install and configure Libreswan VPN client on Ubuntu\/Debian Systems. We are using Ubuntu 20.04 and Debian 11 systems as our Libreswan IPSec roadwarrior VPN clients. Road warriors are traveling users with mobile clients with a dynamically assigned\u00a0IP<\/code>\u00a0address, such as laptops. These are authenticated using certificates.<\/em><\/p>\n\n\n\n

In order to setup Libreswan IPSec VPN to allow roadwarriors to connect to VPN, follow our guide on the link provided below;<\/p>\n\n\n\n

Setup IPSec VPN server with Libreswan on Rocky Linux<\/a><\/p>\n\n\n\n

Install and Configure Libreswan VPN Client on Ubuntu\/Debian Systems<\/h2>\n\n\n\n

In the guide above, we have generated certificates for two hosts, janedoe.kifarunix-demo.com<\/code> and johndoe.kifarunix-demo.com<\/code>.<\/p>\n\n\n\n

As already mentioned, we will use the two certificate files on Ubuntu 20.04 and Debian 11 client hosts respectively.<\/p>\n\n\n\n

Install Libreswan on Ubuntu\/Debian systems<\/h3>\n\n\n\n

On your Ubuntu\/Debian systems, install libreswan package.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
apt install libreswan<\/code><\/pre>\n\n\n\n
Configuring Libreswan Client on Ubuntu\/Debian<\/h3>\n\n\n\n
Create Libreswan Client VPN connection configuration file<\/p>\n\n\n\n
vim \/etc\/ipsec.d\/johndoe.conf<\/code><\/pre>\n\n\n\n
Enter the content below;<\/p>\n\n\n\n
conn vpn.kifarunix-demo.com\n\tleft=%defaultroute\n\tleftcert=johndoe.kifarunix-demo.com\n\tleftid=%fromcert\n\tleftrsasigkey=%cert\n\tleftsubnet=0.0.0.0\/0 \n\tleftmodecfgclient=yes\n\tright=vpn.kifarunix-demo.com\n\trightsubnet=0.0.0.0\/0 \n\trightid=@vpn.kifarunix-demo.com\n\trightrsasigkey=%cert\n\tnarrowing=yes\n\tikev2=insist\n\trekey=yes\n\tfragmentation=yes\n\tmobike=no\n\tauto=start\n<\/code><\/pre>\n\n\n\n
If you are using hostnames, ensure that they are resolvable.<\/strong><\/p>\n\n\n\n
Similarly, on your second client host;<\/p>\n\n\n\n
vim \/etc\/ipsec.d\/janedoe.conf<\/code><\/pre>\n\n\n\n
conn vpn.kifarunix-demo.com\n\tleft=%defaultroute\n\tleftcert=janedoe.kifarunix-demo.com\n\tleftid=%fromcert\n\tleftrsasigkey=%cert\n\tleftsubnet=0.0.0.0\/0 \n\tleftmodecfgclient=yes\n\tright=vpn.kifarunix-demo.com\n\trightsubnet=0.0.0.0\/0 \n\trightid=@vpn.kifarunix-demo.com\n\trightrsasigkey=%cert\n\tnarrowing=yes\n\tikev2=insist\n\trekey=yes\n\tfragmentation=yes\n\tmobike=no\n\tauto=start\n<\/code><\/pre>\n\n\n\n
Check the configuration syntax;<\/p>\n\n\n\n
On Ubuntu<\/p>\n\n\n\n
\/usr\/lib\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig<\/code><\/pre>\n\n\n\n
On Debian;<\/p>\n\n\n\n
\/usr\/libexec\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig<\/code><\/pre>\n\n\n\n
Similarly, run the command below to verify the configuration;<\/p>\n\n\n\n
ipsec verify<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
\nVerifying installed system and configuration files\n\nVersion check and ipsec on-path                   \t[OK]\nLibreswan 4.3 (netkey) on 5.10.0-8-amd64\nChecking for IPsec support in kernel              \t[OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects              \t[NOT DISABLED]\n\n  Disable \/proc\/sys\/net\/ipv4\/conf\/*\/send_redirects or XFRM\/NETKEY will act on or cause sending of bogus ICMP redirects!\n\n         ICMP default\/accept_redirects            \t[NOT DISABLED]\n\n  Disable \/proc\/sys\/net\/ipv4\/conf\/*\/accept_redirects or XFRM\/NETKEY will act on or cause sending of bogus ICMP redirects!\n\n         XFRM larval drop                         \t[OK]\nPluto ipsec.conf syntax                           \t[OK]\nChecking rp_filter                                \t[OK]\nChecking that pluto is running                    \t[FAILED]\nChecking 'ip' command                             \t[OK]\nChecking 'iptables' command                       \t[OK]\nChecking 'prelink' command does not interfere with FIPS\t[OK]\nChecking for obsolete ipsec.conf options          \t[OK]\n\nipsec verify: encountered 4 errors - see 'man ipsec_verify' for help\n<\/code><\/pre>\n\n\n\n
From the command output, we need to disable the ICMP default\/accept_redirects. This can be done using as follows;<\/p>\n\n\n\n
echo \"net.ipv4.conf.default.accept_redirects = 0 \nnet.ipv4.conf.default.send_redirects = 0\" >> \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n
sysctl -p<\/code><\/pre>\n\n\n\n
Rerun the verification command again and check the output;<\/p>\n\n\n\n
ipsec verify<\/code><\/pre>\n\n\n\n
\nVerifying installed system and configuration files\n\nVersion check and ipsec on-path                   \t[OK]\nLibreswan 4.3 (netkey) on 5.10.0-8-amd64\nChecking for IPsec support in kernel              \t[OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects              \t[OK]\n         ICMP default\/accept_redirects            \t[OK]\n         XFRM larval drop                         \t[OK]\nPluto ipsec.conf syntax                           \t[OK]\nChecking rp_filter                                \t[OK]\nChecking that pluto is running                    \t[FAILED]\nChecking 'ip' command                             \t[OK]\nChecking 'iptables' command                       \t[OK]\nChecking 'prelink' command does not interfere with FIPS\t[OK]\nChecking for obsolete ipsec.conf options          \t[OK]\n\nipsec verify: encountered 2 errors - see 'man ipsec_verify' for help\n<\/code><\/pre>\n\n\n\n
Pluto is not running since we havent started IPSec yet, which is fine for now.<\/p>\n\n\n\n
Initialize NSS database;<\/p>\n\n\n\n
sudo ipsec checknss<\/code><\/pre>\n\n\n\n
 Import the client’s PKCS#12 X.509 certificate files into the NSS database;<\/p>\n\n\n\n
sudo ipsec import janedoe.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
Do the same on the other client host. Press ENTER to skip the PCKS12 password.<\/p>\n\n\n\n
Enter password for PKCS12 file: ENTER<\/strong>\npk12util: PKCS12 IMPORT SUCCESSFUL\ncorrecting trust bits for Kifarunix-demo CA<\/code><\/pre>\n\n\n\n
You can list available certificates on the client host;<\/p>\n\n\n\n
sudo certutil -L -d sql:\/var\/lib\/ipsec\/nss<\/code><\/pre>\n\n\n\n
Sample command output;<\/p>\n\n\n\n
\n\nCertificate Nickname                                         Trust Attributes\n                                                             SSL,S\/MIME,JAR\/XPI\n\njohndoe.kifarunix-demo.com                                   u,u,u\nKifarunix-demo CA                                            CT,, \n<\/code><\/pre>\n\n\n\n
Start IPSec and enable it to run on system boot.<\/p>\n\n\n\n
sudo systemctl start ipsec<\/code><\/pre>\n\n\n\n
Check the status;<\/p>\n\n\n\n
systemctl status ipsec<\/code><\/pre>\n\n\n\n
\n\u25cf ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n     Loaded: loaded (\/lib\/systemd\/system\/ipsec.service; disabled; vendor preset: disabled)\n     Active: active (running) since Fri 2022-04-15 06:07:16 UTC; 24s ago\n       Docs: man:ipsec(8)\n             man:pluto(8)\n             man:ipsec.conf(5)\n    Process: 2952 ExecStartPre=\/usr\/lib\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig (code=exited, status=0\/SUCCESS)\n    Process: 2953 ExecStartPre=\/usr\/lib\/ipsec\/_stackmanager start (code=exited, status=0\/SUCCESS)\n    Process: 3441 ExecStartPre=\/usr\/sbin\/ipsec --checknss (code=exited, status=0\/SUCCESS)\n    Process: 3442 ExecStartPre=\/usr\/sbin\/ipsec --checknflog (code=exited, status=0\/SUCCESS)\n   Main PID: 3456 (pluto)\n     Status: \"Startup completed.\"\n      Tasks: 3 (limit: 2282)\n     Memory: 6.5M\n     CGroup: \/system.slice\/ipsec.service\n             \u2514\u25003456 \/usr\/lib\/ipsec\/pluto --leak-detective --config \/etc\/ipsec.conf --nofork\n\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: loading root certificate cache\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: Authenticated using RSA\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: up-client output: updating resolvconf\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>\nApr 15 06:07:16 ubuntu20 pluto[3456]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP\/NAT=>0x7458cc33 <0x84f3773d xfr>\n<\/code><\/pre>\n\n\n\n
From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10<\/strong>.<\/p>\n\n\n\n
Check the status on the other remote host as well;<\/p>\n\n\n\n
systemctl status ipsec<\/code><\/pre>\n\n\n\n
\n\u25cf ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n     Loaded: loaded (\/lib\/systemd\/system\/ipsec.service; disabled; vendor preset: disabled)\n     Active: active (running) since Fri 2022-04-15 10:28:01 EAT; 46s ago\n       Docs: man:ipsec(8)\n             man:pluto(8)\n             man:ipsec.conf(5)\n    Process: 2767 ExecStartPre=\/usr\/libexec\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig (code=exited, status=0\/SUCCESS)\n    Process: 2768 ExecStartPre=\/usr\/libexec\/ipsec\/_stackmanager start (code=exited, status=0\/SUCCESS)\n    Process: 3005 ExecStartPre=\/usr\/sbin\/ipsec --checknss (code=exited, status=0\/SUCCESS)\n    Process: 3006 ExecStartPre=\/usr\/sbin\/ipsec --checknflog (code=exited, status=0\/SUCCESS)\n   Main PID: 3017 (pluto)\n     Status: \"Startup completed.\"\n      Tasks: 3 (limit: 4679)\n     Memory: 3.6M\n        CPU: 436ms\n     CGroup: \/system.slice\/ipsec.service\n             \u2514\u25003017 \/usr\/libexec\/ipsec\/pluto --leak-detective --config \/etc\/ipsec.conf --nofork\n\nApr 15 10:28:01 debian11 pluto[3017]: loading root certificate cache\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #1: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #1: authenticated using RSA with SHA1\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_ADDRESS 10.0.8.11\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 8.8.8.8\nApr 15 10:28:01 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: received INTERNAL_IP4_DNS 10.0.8.1\nApr 15 10:28:02 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: up-client output: updating resolvconf\nApr 15 10:28:02 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: negotiated connection [10.0.8.11-10.0.8.11:0-65535 0] -> [0.0.0.0-255.255.255.255:0-655>\nApr 15 10:28:02 debian11 pluto[3017]: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #2: IPsec SA established tunnel mode {ESPinUDP=>0x6281339e <0xfe11f33f xfrm=AES_GCM_16_256->\n<\/code><\/pre>\n\n\n\n
You can also use the command below to check the status;<\/p>\n\n\n\n
ipsec status<\/code><\/pre>\n\n\n\n
\n000 using kernel interface: netkey\n000 interface lo\/lo ::1@500\n000 interface lo\/lo 127.0.0.1@4500\n000 interface lo\/lo 127.0.0.1@500\n000 interface enp0s3\/enp0s3 10.0.2.15@4500\n000 interface enp0s3\/enp0s3 10.0.2.15@500\n000 interface enp0s8\/enp0s8 192.168.56.104@4500\n000 interface enp0s8\/enp0s8 192.168.56.104@500\n000 interface enp0s8\/enp0s8 192.168.56.120@4500\n000 interface enp0s8\/enp0s8 192.168.56.120@500\n000 interface enp0s9\/enp0s9 192.168.57.6@4500\n000 interface enp0s9\/enp0s9 192.168.57.6@500\n000 interface enp0s9\/enp0s9 192.168.57.7@4500\n000 interface enp0s9\/enp0s9 192.168.57.7@500\n000  \n000  \n000 fips mode=disabled;\n000 SElinux=disabled\n000 seccomp=unsupported\n000  \n000 config setup options:\n000  \n000 configdir=\/etc, configfile=\/etc\/ipsec.conf, secrets=\/etc\/ipsec.secrets, ipsecdir=\/etc\/ipsec.d\n000 nssdir=\/var\/lib\/ipsec\/nss, dumpdir=\/run\/pluto, statsbin=unset\n000 dnssec-rootkey-file=\/usr\/share\/dns\/root.key, dnssec-trusted=\n000 sbindir=\/usr\/sbin, libexecdir=\/usr\/lib\/ipsec\n000 pluto_version=3.29, pluto_vendorid=OE-Libreswan-3.29\n000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s\n000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto\n000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0\n000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=\n000 ocsp-trust-name=\n000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get\n000 global-redirect=no, global-redirect-to=\n000 secctx-attr-type=32001\n000 debug:\n000  \n000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500\n000 virtual-private (%priv):\n000 - allowed subnets: 10.0.0.0\/8, 192.168.0.0\/16, 172.16.0.0\/12, 25.0.0.0\/8, 100.64.0.0\/10, fd00::\/8, fe80::\/10\n000  \n000 Kernel algorithms supported:\n000  \n000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192\n000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256\n000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0\n000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256\n000 algorithm AH\/ESP auth: name=AES_CMAC_96, key-length=128\n000 algorithm AH\/ESP auth: name=AES_XCBC_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_MD5_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_SHA1_96, key-length=160\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_128, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_384_192, key-length=384\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_512_256, key-length=512\n000 algorithm AH\/ESP auth: name=NONE, key-length=0\n000  \n000 IKE algorithms supported:\n000  \n000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192\n000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256\n000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16\n000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20\n000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32\n000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48\n000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64\n000 algorithm IKE PRF: name=AES_XCBC, hashlen=16\n000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024\n000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536\n000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048\n000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072\n000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096\n000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144\n000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192\n000 algorithm IKE DH Key Exchange: name=DH19, bits=512\n000 algorithm IKE DH Key Exchange: name=DH20, bits=768\n000 algorithm IKE DH Key Exchange: name=DH21, bits=1056\n000 algorithm IKE DH Key Exchange: name=DH31, bits=256\n000  \n000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} \n000  \n000 Connection list:\n000  \n000 \"vpn.kifarunix-demo.com\": 0.0.0.0\/0===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0\/0; unrouted; eroute owner: #0\n000 \"vpn.kifarunix-demo.com\":     oriented; my_ip=unset; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;\n000 \"vpn.kifarunix-demo.com\":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]\n000 \"vpn.kifarunix-demo.com\":   our auth:rsasig, their auth:rsasig\n000 \"vpn.kifarunix-demo.com\":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;\n000 \"vpn.kifarunix-demo.com\":   labeled_ipsec:no;\n000 \"vpn.kifarunix-demo.com\":   policy_label:unset;\n000 \"vpn.kifarunix-demo.com\":   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'\n000 \"vpn.kifarunix-demo.com\":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;\n000 \"vpn.kifarunix-demo.com\":   retransmit-interval: 500ms; retransmit-timeout: 60s;\n000 \"vpn.kifarunix-demo.com\":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;\n000 \"vpn.kifarunix-demo.com\":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;\n000 \"vpn.kifarunix-demo.com\":   conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\n000 \"vpn.kifarunix-demo.com\":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;\n000 \"vpn.kifarunix-demo.com\":   our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their id=@vpn.kifarunix-demo.com\n000 \"vpn.kifarunix-demo.com\":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both\n000 \"vpn.kifarunix-demo.com\":   newest ISAKMP SA: #0; newest IPsec SA: #0;\n000 \"vpn.kifarunix-demo.com\"[1]: 10.0.8.10\/32===10.0.2.15[CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo,+MC+S=C]---10.0.2.2...192.168.58.43[@vpn.kifarunix-demo.com]===0.0.0.0\/0; erouted; eroute owner: #2\n000 \"vpn.kifarunix-demo.com\"[1]:     oriented; my_ip=10.0.8.10; their_ip=unset; mycert=janedoe.kifarunix-demo.com; my_updown=ipsec _updown;\n000 \"vpn.kifarunix-demo.com\"[1]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]\n000 \"vpn.kifarunix-demo.com\"[1]:   our auth:rsasig, their auth:rsasig\n000 \"vpn.kifarunix-demo.com\"[1]:   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;\n000 \"vpn.kifarunix-demo.com\"[1]:   labeled_ipsec:no;\n000 \"vpn.kifarunix-demo.com\"[1]:   policy_label:unset;\n000 \"vpn.kifarunix-demo.com\"[1]:   CAs: 'CN=Kifarunix-demo CA, O=Kifarunix-demo'...'%any'\n000 \"vpn.kifarunix-demo.com\"[1]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;\n000 \"vpn.kifarunix-demo.com\"[1]:   retransmit-interval: 500ms; retransmit-timeout: 60s;\n000 \"vpn.kifarunix-demo.com\"[1]:   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;\n000 \"vpn.kifarunix-demo.com\"[1]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;\n000 \"vpn.kifarunix-demo.com\"[1]:   conn_prio: 0,0; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\n000 \"vpn.kifarunix-demo.com\"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;\n000 \"vpn.kifarunix-demo.com\"[1]:   our idtype: ID_DER_ASN1_DN; our id=CN=janedoe.kifarunix-demo.com, O=Kifarunix-demo; their idtype: ID_FQDN; their id=@vpn.kifarunix-demo.com\n000 \"vpn.kifarunix-demo.com\"[1]:   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both\n000 \"vpn.kifarunix-demo.com\"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;\n000 \"vpn.kifarunix-demo.com\"[1]:   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19\n000 \"vpn.kifarunix-demo.com\"[1]:   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=\n000  \n000 Total IPsec connections: loaded 2, active 1<\/strong>\n000  \n000 State Information: DDoS cookies not required, Accepting new IKE connections\n000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)\n000 IPsec SAs: total(1), authenticated(1), anonymous(0)\n000  \n000 #1: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43:4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2590s; newest ISAKMP; idle;\n000 #2: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43:4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 28031s; newest IPSEC; eroute owner; isakmp#1; idle;\n000 #2: \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 esp.7458cc33@192.168.58.43 esp.84f3773d@10.0.2.15 tun.0@192.168.58.43 tun.0@10.0.2.15 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B \n000  \n000 Bare Shunt list:\n000  \n<\/code><\/pre>\n\n\n\n
On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11<\/strong>.<\/p>\n\n\n\n
Load the connection on each client host;<\/p>\n\n\n\n
sudo ipsec auto --add vpn.kifarunix-demo.com<\/code><\/pre>\n\n\n\n
Establish the tunnel by bringing up the connection on each host;<\/p>\n\n\n\n
sudo ipsec auto --up vpn.kifarunix-demo.com<\/code><\/pre>\n\n\n\n
Sample connection output;<\/p>\n\n\n\n
\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #3: initiating v2 parent SA\n133 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #3: initiate\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43: constructed local IKE proposals for vpn.kifarunix-demo.com (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default)\n133 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #3: Received unauthenticated INVALID_KE_PAYLOAD response to DH MODP2048; resending with suggested DH DH19\n133 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #3: STATE_PARENT_I1: sent v2I1, expected v2R1\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43: constructed local ESP\/AH proposals for vpn.kifarunix-demo.com (IKE SA initiator emitting ESP\/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)\n134 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n\/a prf=HMAC_SHA2_512 group=DH19}\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo.com\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.com, O=Kifarunix-demo'\n003 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: Authenticated using RSA\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: received INTERNAL_IP4_ADDRESS 10.0.8.10\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 8.8.8.8\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: received INTERNAL_IP4_DNS 10.0.8.1\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: up-client output: updating resolvconf\n002 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]\n004 \"vpn.kifarunix-demo.com\"[1] 192.168.58.43 #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP\/NAT=>0x882f7889 <0xf418dbb8 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=192.168.58.43:4500 DPD=passive}\n<\/code><\/pre>\n\n\n\n
From each host, ping the VPN assigned IP address of the other.<\/p>\n\n\n\n
ping 10.0.8.11 -c 4<\/code><\/pre>\n\n\n\n
PING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.\n64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms\n64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms\n64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms\n64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms\n\n--- 10.0.8.11 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3010ms\nrtt min\/avg\/max\/mdev = 2.820\/2.888\/3.060\/0.099 ms\n<\/code><\/pre>\n\n\n\n
On the other host;<\/p>\n\n\n\n
ping 10.0.8.10 -c 4<\/code><\/pre>\n\n\n\n
PING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.\n64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms\n64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms\n64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms\n64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms\n\n--- 10.0.8.10 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 1.631\/2.516\/3.187\/0.588 ms\n<\/code><\/pre>\n\n\n\n
The two remote hosts can now communicate via IPsec VPN server.<\/p>\n\n\n\n
And that concludes our guide on how to install and configure Libreswan IPSec VPN client on Ubuntu\/Debian Systems.<\/p>\n\n\n\n
Read more on Libreswan Configuration Examples page<\/a>.<\/p>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n
Configure OpenVPN Clients to use specific DNS Server<\/a><\/p>\n\n\n\n
Install Pritunl VPN client on Debian\/Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, you will learn how to install and configure Libreswan VPN client on Ubuntu\/Debian Systems. We are using Ubuntu 20.04 and Debian 11<\/p>\n","protected":false},"author":1,"featured_media":12295,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34,321],"tags":[4908,4906,1289,1716,4910,4909],"class_list":["post-12291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-security","category-vpn","tag-install-libreswan-vpn-client","tag-ipsec-roadwarrior","tag-ipsec-vpn-client","tag-libreswan","tag-libreswan-roadwarrior-client","tag-setup-libreswan-vpn-client","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12291"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12291"}],"version-history":[{"count":3,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12291\/revisions"}],"predecessor-version":[{"id":12296,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12291\/revisions\/12296"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12295"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}