Show Table of Contents
2.7.2. VPN Configurations Using Libreswan
Libreswan does not use the terms “source” or “destination”. Instead, it uses the terms “left” and “right” to refer to end points (the hosts). This allows the same configuration to be used on both end points in most cases, although most administrators use “left” for the local host and “right” for the remote host.
There are three commonly used methods for authentication of endpoints:
- Raw RSA keys are commonly used for static host-to-host or subnet-to-subnet
IPsecconfigurations. The hosts are manually configured with each other's public RSA key. This method does not scale well when dozens or more hosts all need to setupIPsectunnels to each other. - X.509 certificates are commonly used for large scale deployments where there are many hosts that need to connect to a common
IPsecgateway. A central certificate authority (CA) is used to sign RSA certificates for hosts or users. This central CA is responsible for relaying trust, including the revocations of individual hosts or users. - Pre-Shared Keys (PSK) is the simplest authentication method. PSK's should consist of random characters and have a length of at least 20 characters. Due to the dangers of non-random and short PSKs, this is the least secure form of authentication and it is recommended to use either raw RSA keys or certificate based authentication instead.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.