{"id":6221,"date":"2020-06-21T13:31:12","date_gmt":"2020-06-21T10:31:12","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6221"},"modified":"2024-03-14T21:14:25","modified_gmt":"2024-03-14T18:14:25","slug":"setup-ipsec-vpn-server-with-libreswan-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-ipsec-vpn-server-with-libreswan-on-centos-8\/","title":{"rendered":"Setup IPSec VPN Server with Libreswan on CentOS 8"},"content":{"rendered":"\n

Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on CentOS 8. Libreswan<\/a> is a free implementation of IKE\/IPsec for Linux. IPsec is the Internet Protocol Security which uses strong cryptography to provide both authentication and encryption services and allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.<\/p>\n\n\n\n

IKE manages the authentication between two communicating end points. It also enables endpoints to negotiate on algorithms to use to setup an IPsec tunnel.<\/p>\n\n\n\n

In our previous guide, we covered how to install and configure IPSec VPN using StrongSwan on Ubuntu 18.04. See the link below;<\/p>\n\n\n\n

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n

Setting up IPSec VPN Server with Libreswan<\/h2>\n\n\n\n

There are different VPN Server-client implementations of Libreswan<\/a>. In this guide, we are going to learn how setup IPSec VPN server for the mobile clients (clients with dynamically assigned IPs such as laptops) here in known as road warriors<\/code><\/strong>, so that they can be able to connect to local LAN from anywhere. Mobile clients are authenticated using certificates and hence uses the IKEv2 protocol.<\/p>\n\n\n\n

IKEv2<\/strong> (Internet Key Exchange version 2) is a VPN encryption protocol that handles request and response actions. IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) or Authentication Header (AH) and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.<\/p>\n\n\n\n

Run system Update<\/h3>\n\n\n\n

Update your system packages on the server to be used as Libreswan VPN server.<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install Libreswan on CentOS 8<\/a><\/h3>\n\n\n\n
Once the update is done, install Libreswan. Libreswan is available on CentOS 8 AppStream repos and hence, you can simply install using the package manager as follows;<\/p>\n\n\n\n
dnf install libreswan<\/code><\/pre>\n\n\n\n
Running Libreswan<\/h3>\n\n\n\n
Once the installation is done, start and enable Libreswan ipsec<\/strong><\/code> service to run on system boot.<\/p>\n\n\n\n
systemctl enable --now ipsec<\/code><\/pre>\n\n\n\n
Initialize IPSec NSS Database<\/h3>\n\n\n\n
Next, you need to initialize the Network Security Services (NSS) database. NSS database is used to store authentication keys and identity certificates.<\/p>\n\n\n\n
ipsec initnss<\/code><\/pre>\n\n\n\n
If there is any previous database, you can remove it so that you can have a new database. The NSS database is stored under \/etc\/ipsec.d<\/code>.<\/p>\n\n\n\n
To remove any old databases, stop IPsec, if running and remove NSS databases by running the commands below;<\/p>\n\n\n\n
systemctl stop ipsec<\/code><\/pre>\n\n\n\n
rm -rf \/etc\/ipsec.d\/*db<\/code><\/pre>\n\n\n\n
You can then re-initialize the NSS database;<\/p>\n\n\n\n
ipsec initnss<\/code><\/pre>\n\n\n\n
Then start IPSec;<\/p>\n\n\n\n
systemctl start ipsec<\/code><\/pre>\n\n\n\n
Open Libreswan Ports and Protocols on Firewall<\/h3>\n\n\n\n
The IKE<\/code> protocol uses UDP port 500<\/code> and 4500<\/code> while IPsec protocols, Encapsulated Security Payload<\/code> (ESP) and Authenticated Header<\/code> (AH) uses protocol number 50 and 51<\/code> respectively.<\/p>\n\n\n\n
Hence, open these ports and protocols on your active firewall zone on your VPN (Left Endpoint) Server<\/strong> in this guide.<\/p>\n\n\n\n
firewall-cmd --get-active-zone<\/code><\/pre>\n\n\n\n
To open the ports and firewall on the default firewalld zone;<\/p>\n\n\n\n
firewall-cmd --add-port={4500,500}\/udp --permanent<\/code><\/pre>\n\n\n\n
firewall-cmd --add-protocol={50,51} --permanent<\/code><\/pre>\n\n\n\n
Or you can simply use the IPSec service;<\/p>\n\n\n\n
firewall-cmd --add-service=ipsec --permanent<\/code><\/pre>\n\n\n\n
Reload FirewallD<\/p>\n\n\n\n
firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Configure IPSec VPN Server with Libreswan<\/h3>\n\n\n\n
Libreswan doesn’t use the client-server model. It however uses the terms left<\/code> and right<\/code> to refer to endpoints involved in any given connection. The left\/right terms can be used arbitrarily to refer to each system as long as you maintain consistency in using the terms while configuring your connections.<\/p>\n\n\n\n
Enable IP Forwarding<\/h3>\n\n\n\n
On both the VPN server<\/code><\/strong>, you need to enable IP forwarding.<\/p>\n\n\n\n
Run the command below to check if IP forwarding is enabled;<\/p>\n\n\n\n
sysctl net.ipv4.ip_forward<\/code><\/pre>\n\n\n\n
If the output is net.ipv4.ip_forward = 0<\/strong><\/code>, then IP forwarding is disabled and you need to enable by executing either of the command below;<\/p>\n\n\n\n
IP forwarding can be enabled by just enabling IP masquerading on firewalld.<\/p>\n\n\n\n
firewall-cmd --add-masquerade --permanent\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\n
You can the verify IP forwarding;<\/p>\n\n\n\n
cat \/proc\/sys\/net\/ipv4\/ip_forward\n<\/strong>1<\/code><\/pre>\n\n\n\n
A value of 1 means, IP forwarding is enabled.<\/p>\n\n\n\n
Similarly. you can enable IP forwarding by running the commands below;<\/p>\n\n\n\n
echo \"net.ipv4.ip_forward = 1\" >> \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n
Refresh with the sysctl.conf with new configuration.<\/p>\n\n\n\n
sysctl -p<\/code><\/pre>\n\n\n\n
Also, ensure that redirects are disabled.<\/p>\n\n\n\n
less \/etc\/sysctl.d\/50-libreswan.conf<\/code><\/pre>\n\n\n\n
\n# We disable redirects for XFRM\/IPsec\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\n<\/code><\/pre>\n\n\n\n
Generate VPN Server and Client Certificates<\/h3>\n\n\n\n
Next, you need to generate the VPN server and clients certificates for use in authentication.<\/p>\n\n\n\n
Create Certificates Generation Database<\/h4>\n\n\n\n
Run the command below to create a database that can be used to generate store a private key and CA certificate for use in generating hosts certificates. We will be using certutil<\/strong><\/code> command to generate the certificates.<\/p>\n\n\n\n
mkdir \/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
certutil -N -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
The command prompts you to enter the password for encrypting your keys.<\/p>\n\n\n\n
\nEnter a password which will be used to encrypt your keys.\nThe password should be at least 8 characters long,\nand should contain at least one non-alphabetic character.\nEnter new password: StRONgPassw0Rd<\/strong>\nRe-enter password: StRONgPassw0Rd<\/strong>\n<\/code><\/pre>\n\n\n\n
Generate CA Certificate<\/h4>\n\n\n\n
We use self signed certificates in this tutorial and hence, this is how we can generate our local CA certificate.<\/p>\n\n\n\n
certutil -S -x -n \"Kifarunix-demo CA\" -s \"O=Kifarunix-demo,CN=Kifarunix-demo CA\" -k rsa -g 4096 -v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \"CT,,\" -2<\/code><\/pre>\n\n\n\n
Refer to man certutil<\/code> to learn about the options used.<\/strong><\/p>\n\n\n\n
When the command runs, you will be first prompted to enter the password for encrypting keys you set above. Enter the password to proceed.<\/p>\n\n\n\n
Next, you are required to generate random seed for use in creating of your keys by typing any keys on the keyboard until the progress meter is full. Once it is full, press enter to continue.<\/p>\n\n\n\n
\n...\nContinue typing until the progress meter is full:\n\n|************************************************************|\n\nFinished.  Press enter to continue: ENTER\n<\/code><\/pre>\n\n\n\n
    \n
  • Next, type y<\/strong> to specify that this is a CA certificate being generated.<\/li>\n\n\n\n
  • Press ENTER for the path length<\/li>\n\n\n\n
  • Enter n<\/strong> to specify that this is not a critical extension.<\/li>\n<\/ul>\n\n\n\n
    \nGenerating key.  This may take a few moments...\n\nIs this a CA certificate [y\/N]?\ny<\/strong>\nEnter the path length constraint, enter to skip [<0 for unlimited path]: > ENTER<\/strong>\nIs this a critical extension [y\/N]?\nn<\/strong>\n<\/code><\/pre>\n\n\n\n
    Generate the VPN Server Certificate<\/h4>\n\n\n\n
     Next, generate the server certificate signed using the CA created above and assign extensions to it.<\/p>\n\n\n\n
    certutil -S -c \"Kifarunix-demo CA\" -n \"vpn.kifarunix-demo.com\" -s \"O=Kifarunix-demo,CN=vpn.kifarunix-demo.com\" -k rsa -g 4096 -v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \",,\" -1 -6 -8 \"vpn.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n
    Similarly, enter the keys encryption password, generate the seed from the keyboard and press ENTER to continue.<\/p>\n\n\n\n
    Define the key and the key extension usage.<\/p>\n\n\n\n
    \nGenerating key.  This may take a few moments...\n\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 0\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 2\n\t\t0 - Digital Signature\n\t\t1 - Non-repudiation\n\t\t2 - Key encipherment\n\t\t3 - Data encipherment\n\t\t4 - Key agreement\n\t\t5 - Cert signing key\n\t\t6 - CRL signing key\n\t\tOther to finish\n > 8\n<\/code><\/pre>\n\n\n\n
    \nIs this a critical extension [y\/N]?\nn\n\t\t0 - Server Auth\n\t\t1 - Client Auth\n\t\t2 - Code Signing\n\t\t3 - Email Protection\n\t\t4 - Timestamp\n\t\t5 - OCSP Responder\n\t\t6 - Step-up\n\t\t7 - Microsoft Trust List Signing\n\t\tOther to finish\n > 0\n\t\t0 - Server Auth\n\t\t1 - Client Auth\n\t\t2 - Code Signing\n\t\t3 - Email Protection\n\t\t4 - Timestamp\n\t\t5 - OCSP Responder\n\t\t6 - Step-up\n\t\t7 - Microsoft Trust List Signing\n\t\tOther to finish\n > 8\nIs this a critical extension [y\/N]?\nN\n<\/code><\/pre>\n\n\n\n
    Generate the VPN Client Certificate<\/h4>\n\n\n\n
    Run the command below to generate a VPN client certificate. Replace the name of the certificate (hostname used here) with the name of the host whose client certificate you are generating for;<\/p>\n\n\n\n
    certutil -S -c \"Kifarunix-demo CA\" -n \"janedoe.kifarunix-demo.com\" -s \"O=Kifarunix-demo,CN=janedoe.kifarunix-demo.com\" -k rsa -g 4096 -v 12 -d sql:\/etc\/ipsec.d\/certsdb -t \",,\" -1 -6 -8 \"janedoe.kifarunix-demo.com\"<\/code><\/pre>\n\n\n\n
    Similarly, enter the same options as above.<\/p>\n\n\n\n
    Listing the Available Certificates in the database<\/p>\n\n\n\n
    certutil -L -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    \nCertificate Nickname                                         Trust Attributes\n                                                             SSL,S\/MIME,JAR\/XPI\n\nKifarunix-demo CA                                            CTu,u,u\nvpn.kifarunix-demo.com                                       u,u,u\njanedoe.kifarunix-demo.com                                   u,u,u\njohndoe.kifarunix-demo.com                                   u,u,u\n<\/code><\/pre>\n\n\n\n
    Export and import the gateway certificate into the pluto DB.<\/p>\n\n\n\n
    pk12util -o vpn.kifarunix-demo.com.p12 -n \"vpn.kifarunix-demo.com\" -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    You can skip the PKCS12 password.<\/p>\n\n\n\n
    ls<\/code><\/pre>\n\n\n\n
    vpn.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
    Once exported, Import the VPN server certificate to DB.<\/p>\n\n\n\n
    ipsec import vpn.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
    Export the client host certificates, private key, and CA certificate. All these will be stored in a .p12 file as specified output file in the command below.<\/p>\n\n\n\n
    pk12util -o janedoe.kifarunix-demo.com.p12 -n \"janedoe.kifarunix-demo.com\" -d sql:\/etc\/ipsec.d\/certsdb<\/code><\/pre>\n\n\n\n
    Similarly, skip the PKCS12 password.<\/p>\n\n\n\n
    ls<\/code><\/pre>\n\n\n\n
    janedoe.kifarunix-demo.com.p12 vpn.kifarunix-demo.com.p12<\/strong><\/code><\/pre>\n\n\n\n
    If you have generated certificates for other client hosts, you can as well export them.<\/p>\n\n\n\n
    Create IPSec VPN Endpoint Configuration file<\/h3>\n\n\n\n
    On your IPSec VPN host, create a configuration file on \/etc\/ipsec.d<\/code><\/strong> directory for your mobile clients. \/etc\/ipsec.conf<\/strong><\/code> is the default configuration file for Libreswan and it has a directive to include other configurations defined on \/etc\/ipsec.d<\/code><\/strong> directory.<\/p>\n\n\n\n
    vim \/etc\/ipsec.d\/mobile-clients.conf<\/code><\/pre>\n\n\n\n
    Put the following configurations on the file above.<\/p>\n\n\n\n
    \nconn roadwarriors\n    left=vpn.kifarunix-demo.com\n    leftsubnet=0.0.0.0\/0\n    leftcert=vpn.kifarunix-demo.com\n    leftid=%fromcert\n    leftrsasigkey=%cert\n    leftsendcert=always\n    right=%any\n    rightaddresspool=10.0.8.10-10.0.8.254\n    rightca=%same\n    rightrsasigkey=%cert\n    modecfgdns=\"8.8.8.8,10.0.8.1\"\n    authby=rsasig\n    auto=start\n    dpddelay=60\n    dpdtimeout=300\n    dpdaction=clear\n    mobike=yes\n    ikev2=insist\n    fragmentation=yes\n    type=tunnel\n<\/code><\/pre>\n\n\n\n
    Refer to man ipsec.conf<\/code> for a comprehensive description of the options used above.<\/strong><\/p>\n\n\n\n
    Verify the configuration file for any errors;<\/p>\n\n\n\n
    \/usr\/libexec\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig<\/code><\/pre>\n\n\n\n
    If there is no error, command exit with 0 status.<\/p>\n\n\n\n
    echo $?<\/code><\/pre>\n\n\n\n
    Otherwise, any error is displayed on the standard output. Fix the errors before you can proceed.<\/p>\n\n\n\n
    Enable IPsec logging by uncommenting the line, #logfile=\/var\/log\/pluto.log<\/strong><\/code>, on the \/etc\/ipsec.conf<\/strong><\/code> configuration.<\/p>\n\n\n\n
    config setup\n        # Normally, pluto logs via syslog.\n        logfile=\/var\/log\/pluto.log<\/strong>\n...<\/code><\/pre>\n\n\n\n
    Restart IPsec;<\/p>\n\n\n\n
    systemctl restart ipsec<\/code><\/pre>\n\n\n\n
    Check status;<\/p>\n\n\n\n
    systemctl status ipsec<\/code><\/pre>\n\n\n\n
    If ipsec fails to start, there must be a configuration syntax error. Run the command below to pinpoint the error.<\/p>\n\n\n\n
    journalctl -xe<\/code><\/pre>\n\n\n\n
    Disable rp_filter for Libreswan and reload all Kernel configurations.<\/p>\n\n\n\n
    echo \"net.ipv4.conf.all.rp_filter = 0\" >> \/etc\/sysctl.d\/50-libreswan.conf<\/code><\/pre>\n\n\n\n
    sysctl --system<\/code><\/pre>\n\n\n\n
    Verify IPsec Configuration<\/h3>\n\n\n\n
    To confirm that the IPsec configuration is fine, simply run the command below;<\/p>\n\n\n\n
    ipsec verify<\/code><\/pre>\n\n\n\n
    \nVerifying installed system and configuration files\n\nVersion check and ipsec on-path                   \t[OK]\nLibreswan 3.29 (netkey) on 4.18.0-193.6.3.el8_2.x86_64\nChecking for IPsec support in kernel              \t[OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects              \t[OK]\n         ICMP default\/accept_redirects            \t[OK]\n         XFRM larval drop                         \t[OK]\nPluto ipsec.conf syntax                           \t[OK]\nChecking rp_filter                                \t[OK]\nChecking that pluto is running                    \t[OK]\n Pluto listening for IKE on udp 500               \t[OK]\n Pluto listening for IKE\/NAT-T on udp 4500        \t[OK]\n Pluto ipsec.secret syntax                        \t[OK]\nChecking 'ip' command                             \t[OK]\nChecking 'iptables' command                       \t[OK]\nChecking 'prelink' command does not interfere with FIPS\t[OK]\nChecking for obsolete ipsec.conf options          \t[OK]\n<\/code><\/pre>\n\n\n\n
    Copy VPN Client Certificates to your Mobile Clients<\/h3>\n\n\n\n
    You can now copy the client certificates to your remote clients <\/strong>and connect to the VPN server.<\/p>\n\n\n\n
    In this tutorial, we are using Ubuntu 20.04 and Ubuntu 18.04 systems as our remote clients.<\/p>\n\n\n\n
    We have generated certificates for two hosts, janedoe.kifarunix-demo.com<\/code> and johndoe.kifarunix-demo.com<\/code> for Ubuntu 20.04 and Ubuntu 18.04 client hosts respectively.<\/p>\n\n\n\n
    Configuring Libreswan Client<\/h3>\n\n\n\n
    On your Ubuntu system, install libreswan package.<\/p>\n\n\n\n
    apt update<\/code><\/pre>\n\n\n\n
    apt install libreswan<\/code><\/pre>\n\n\n\n
    Create Libreswan Client VPN connection configuration file<\/p>\n\n\n\n
    vim \/etc\/ipsec.d\/johndoe.conf<\/code><\/pre>\n\n\n\n
    Enter the content below;<\/p>\n\n\n\n
    \nconn vpn.kifarunix-demo.com\n\tleft=%defaultroute\n\tleftcert=johndoe.kifarunix-demo.com\n\tleftid=%fromcert\n\tleftrsasigkey=%cert\n\tleftsubnet=0.0.0.0\/0 \n\tleftmodecfgclient=yes\n\tright=vpn.kifarunix-demo.com\n\trightsubnet=0.0.0.0\/0 \n\trightid=@vpn.kifarunix-demo.com\n\trightrsasigkey=%cert\n\tnarrowing=yes\n\tikev2=insist\n\trekey=yes\n\tfragmentation=yes\n\tmobike=no\n\tauto=start\n<\/code><\/pre>\n\n\n\n
    If you are using hostnames, ensure that they are resolvable.<\/strong><\/p>\n\n\n\n
    Similarly, on your second host;<\/p>\n\n\n\n
    vim \/etc\/ipsec.d\/janedoe.conf<\/code><\/pre>\n\n\n\n
    \nconn vpn.kifarunix-demo.com\n\tleft=%defaultroute\n\tleftcert=janedoe.kifarunix-demo.com\n\tleftid=%fromcert\n\tleftrsasigkey=%cert\n\tleftsubnet=0.0.0.0\/0 \n\tleftmodecfgclient=yes\n\tright=vpn.kifarunix-demo.com\n\trightsubnet=0.0.0.0\/0 \n\trightid=@vpn.kifarunix-demo.com\n\trightrsasigkey=%cert\n\tnarrowing=yes\n\tikev2=insist\n\trekey=yes\n\tfragmentation=yes\n\tmobike=no\n\tauto=start\n<\/code><\/pre>\n\n\n\n
    Check the configuration syntax;<\/p>\n\n\n\n
    \/usr\/lib\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig<\/code><\/pre>\n\n\n\n
    Initialize NSS database;<\/p>\n\n\n\n
    sudo ipsec checknss<\/code><\/pre>\n\n\n\n
     Import PKCS#12 X.509 certificate files into the NSS database;<\/p>\n\n\n\n
    sudo ipsec import janedoe.kifarunix-demo.com.p12<\/code><\/pre>\n\n\n\n
    Do the same on the other client host. Press ENTER to skip the PCKS12 password.<\/p>\n\n\n\n
    Enter password for PKCS12 file: ENTER<\/strong>\npk12util: PKCS12 IMPORT SUCCESSFUL\ncorrecting trust bits for Kifarunix-demo CA<\/code><\/pre>\n\n\n\n
    You can list available certificates on the client host;<\/p>\n\n\n\n
    certutil -L -d sql:\/var\/lib\/ipsec\/nss<\/code><\/pre>\n\n\n\n
    Start IPsec and enable it to run on system boot.<\/p>\n\n\n\n
    sudo ipsec setup start<\/code><\/pre>\n\n\n\n
    Check the status;<\/p>\n\n\n\n
    systemctl status ipsec<\/code><\/pre>\n\n\n\n
    \n\u25cf ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n     Loaded: loaded (\/lib\/systemd\/system\/ipsec.service; enabled; vendor preset: disabled)\n     Active: active (running) since Sun 2020-06-21 12:28:02 EAT; 7min ago\n       Docs: man:ipsec(8)\n             man:pluto(8)\n             man:ipsec.conf(5)\n    Process: 11251 ExecStartPre=\/usr\/lib\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig (code=exited, status=0\/SUCCESS)\n    Process: 11266 ExecStartPre=\/usr\/lib\/ipsec\/_stackmanager start (code=exited, status=0\/SUCCESS)\n    Process: 11742 ExecStartPre=\/usr\/sbin\/ipsec --checknss (code=exited, status=0\/SUCCESS)\n    Process: 11743 ExecStartPre=\/usr\/sbin\/ipsec --checknflog (code=exited, status=0\/SUCCESS)\n   Main PID: 11757 (pluto)\n     Status: \"Startup completed.\"\n      Tasks: 2 (limit: 2319)\n     Memory: 10.3M\n     CGroup: \/system.slice\/ipsec.service\n             \u2514\u250011757 \/usr\/lib\/ipsec\/pluto --leak-detective --config \/etc\/ipsec.conf --nofork\n\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: certificate verified OK: O=Kifarunix-demo,CN=vpn.kifarunix-demo>\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=vpn.kifarunix-demo.co>\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: Authenticated using RSA\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: received INTERNAL_IP4_ADDRESS 10.0.8.10<\/strong>\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 8.8.8.8\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: received INTERNAL_IP4_DNS 10.0.8.1\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: up-client output: updating resolvconf\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: negotiated connection [10.0.8.10-10.0.8.10:0-65535 0] -> [0.0.0>\nJun 21 12:28:02 koromicha pluto[11757]: \"vpn.kifarunix-demo.com\"[1] 192.168.56.133 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP\/NAT=\n<\/code><\/pre>\n\n\n\n
    Check the status on the other remote host.<\/p>\n\n\n\n
    From the status output, you can check assigned IP address, INTERNAL_IP4_ADDRESS 10.0.8.10<\/strong>. On my other client host, INTERNAL_IP4_ADDRESS 10.0.8.11<\/strong>.<\/p>\n\n\n\n
    Load the connection on each client host;<\/p>\n\n\n\n
    sudo ipsec auto --add vpn.kifarunix-demo.com<\/code><\/pre>\n\n\n\n
    Establish the tunnel by bringing up the connection on each host;<\/p>\n\n\n\n
    sudo ipsec auto --up vpn.kifarunix-demo.com<\/code><\/pre>\n\n\n\n
    From each host, ping the VPN assigned IP address of the other.<\/p>\n\n\n\n
    ping 10.0.8.11 -c 4<\/code><\/pre>\n\n\n\n
    \nPING 10.0.8.11 (10.0.8.11) 56(84) bytes of data.\n64 bytes from 10.0.8.11: icmp_seq=1 ttl=63 time=2.82 ms\n64 bytes from 10.0.8.11: icmp_seq=2 ttl=63 time=2.84 ms\n64 bytes from 10.0.8.11: icmp_seq=3 ttl=63 time=3.06 ms\n64 bytes from 10.0.8.11: icmp_seq=4 ttl=63 time=2.83 ms\n\n--- 10.0.8.11 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3010ms\nrtt min\/avg\/max\/mdev = 2.820\/2.888\/3.060\/0.099 ms\n<\/code><\/pre>\n\n\n\n
    On the other host;<\/p>\n\n\n\n
    ping 10.0.8.10 -c 4<\/code><\/pre>\n\n\n\n
    \nPING 10.0.8.10 (10.0.8.10) 56(84) bytes of data.\n64 bytes from 10.0.8.10: icmp_seq=1 ttl=63 time=1.63 ms\n64 bytes from 10.0.8.10: icmp_seq=2 ttl=63 time=2.38 ms\n64 bytes from 10.0.8.10: icmp_seq=3 ttl=63 time=3.18 ms\n64 bytes from 10.0.8.10: icmp_seq=4 ttl=63 time=2.86 ms\n\n--- 10.0.8.10 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 1.631\/2.516\/3.187\/0.588 ms\n<\/code><\/pre>\n\n\n\n
    The two remote hosts can now communicate via IPsec VPN server.<\/p>\n\n\n\n
    Further Reading\/Reference<\/h3>\n\n\n\n
    Libreswan Configuration Examples<\/a><\/p>\n\n\n\n
    Related Tutorials<\/h3>\n\n\n\n
    Install and Setup OpenVPN Server on Ubuntu 20.04<\/a><\/p>\n\n\n\n
    Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n\n\n\n
    Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n\n\n\n
    Setup IPSEC VPN using StrongSwan on Debian 10<\/a><\/p>\n\n\n\n
    Connect to Cisco VPN Using PCF file on Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Welcome to our today’s guide on how to setup IPSec VPN server with Libreswan on CentOS 8. Libreswan is a free implementation of IKE\/IPsec for<\/p>\n","protected":false},"author":1,"featured_media":12280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,282,34,321],"tags":[1712,1709,1713,1711,1716,1715,1714,1710],"class_list":["post-6221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-openvpn","category-security","category-vpn","tag-ikev2-vpn-setup","tag-install-libreswan-on-centos-8","tag-install-libreswan-on-ubuntu-18-04-20-04","tag-ipsec-vpn-on-centos-8","tag-libreswan","tag-libreswan-road-warriror","tag-setup-ipsec-vpn-roadwarrior","tag-setup-ipsec-vpn-with-libreswan","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6221"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6221"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6221\/revisions"}],"predecessor-version":[{"id":21419,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6221\/revisions\/21419"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12280"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}