2.7. Securing Virtual Private Networks (VPNs)
IPsectunneling protocol which is supported by the Libreswan application. Libreswan is a fork of the Openswan application and examples in documentation should be interchangeable. The NetworkManager
IPsecplug-in is called NetworkManager-openswan.
IPsecimplementation available in Red Hat Enterprise Linux 6. It uses the Internet key exchange (IKE) protocol.
IKEversion 1 and 2 are implemented as a user-level daemon. Manual key establishment is also possible via
ip xfrmcommands, however this is not recommended. Libreswan interfaces with the Linux kernel using netlink to transfer the encryption keys. Packet encryption and decryption happen in the Linux kernel.
2.7.1. IPsec VPN Using Libreswan
root. Note that the libreswan package is available from the Extras repository, which needs to be enabled for the installation to succeed. See How to enable/disable a repository using Red Hat Subscription Manager? (The ID of the Extras repository is
yum install libreswan
yum info libreswan
ipsec initnssInitializing NSS database See 'man pluto' if you want to protect the NSS database with a password
ipsecdaemon provided by Libreswan, issue the following command as
service ipsec start
service ipsec statuspluto (pid 3496) is running...
chkconfig ipsec on
ipsecservice. See Section 2.8, “Firewalls” for information on firewalls and allowing specific services to pass through. Libreswan requires the firewall to allow the following packets:
UDPport 500 for the
Internet Key Exchange(IKE) protocol
UDPport 4500 for
- Protocol 50 for
Encapsulated Security Payload(ESP)
- Protocol 51 for
IPsecVPN. The first example is for connecting two hosts together so that they may communicate securely. The second example is connecting two sites together to form one network. The third example is supporting roaming users, known as road warriors in this context.