Chapter 7. Setting up an IPsec VPN

A virtual private network (VPN) is a way of connecting to a local network over the internet. IPsec provided by Libreswan is the preferred method for creating a VPN. Libreswan is a user-space IPsec implementation for VPN. A VPN enables the communication between your LAN, and another, remote LAN by setting up a tunnel across an intermediate network such as the internet. For security reasons, a VPN tunnel always uses authentication and encryption. For cryptographic operations, Libreswan uses the NSS library.

7.1. Configuring a VPN connection with control-center

If you use Red Hat Enterprise Linux with a graphical interface, you can configure a VPN connection in the GNOME control-center.

Prerequisites

  • The NetworkManager-libreswan-gnome package is installed.

Procedure

  1. Press the Super key, type Settings, and press Enter to open the control-center application.
  2. Select the Network entry on the left.
  3. Click the + icon.
  4. Select VPN.

  5. Select the Identity menu entry to see the basic configuration options:

    General

    Gateway — The name or IP address of the remote VPN gateway.

    Authentication

    Type

    • IKEv2 (Certificate)- client is authenticated by certificate. It is more secure (default).

    • IKEv1 (XAUTH) - client is authenticated by user name and password, or a pre-shared key (PSK).

      The following configuration settings are available under the Advanced section:

      Figure 7.1. Advanced options of a VPN connection

      networking vpn advanced options
      Warning

      When configuring an IPsec-based VPN connection using the gnome-control-center application, the Advanced dialog displays the configuration, but it does not allow any changes. As a consequence, users cannot change any advanced IPsec options. Use the nm-connection-editor or nmcli tools instead to perform configuration of the advanced properties.

      Identification

    • Domain — If required, enter the Domain Name.

      Security

    • Phase1 Algorithms — corresponds to the ike Libreswan parameter — enter the algorithms to be used to authenticate and set up an encrypted channel.

    • Phase2 Algorithms — corresponds to the esp Libreswan parameter — enter the algorithms to be used for the IPsec negotiations.

      Check the Disable PFS field to turn off Perfect Forward Secrecy (PFS) to ensure compatibility with old servers that do not support PFS.

    • Phase1 Lifetime — corresponds to the ikelifetime Libreswan parameter — how long the key used to encrypt the traffic will be valid.

    • Phase2 Lifetime — corresponds to the salifetime Libreswan parameter — how long a particular instance of a connection should last before expiring.

      Note that the encryption key should be changed from time to time for security reasons.

    • Remote network — corresponds to the rightsubnet Libreswan parameter — the destination private remote network that should be reached through the VPN.

      Check the narrowing field to enable narrowing. Note that it is only effective in IKEv2 negotiation.

    • Enable fragmentation — corresponds to the fragmentation Libreswan parameter — whether or not to allow IKE fragmentation. Valid values are yes (default) or no.
    • Enable Mobike — corresponds to the mobike Libreswan parameter — whether to allow Mobility and Multihoming Protocol (MOBIKE, RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless, or mobile data connections. The values are no (default) or yes.

  6. Select the IPv4 menu entry:

    IPv4 Method

    • Automatic (DHCP) — Choose this option if the network you are connecting to uses a DHCP server to assign dynamic IP addresses.
    • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
    • Manual — Choose this option if you want to assign IP addresses manually.

    • DisableIPv4 is disabled for this connection.

      DNS

      In the DNS section, when Automatic is ON, switch it to OFF to enter the IP address of a DNS server you want to use separating the IPs by comma.

      Routes

      Note that in the Routes section, when Automatic is ON, routes from DHCP are used, but you can also add additional static routes. When OFF, only static routes are used.

    • Address — Enter the IP address of a remote network or host.
    • Netmask — The netmask or prefix length of the IP address entered above.
    • Gateway — The IP address of the gateway leading to the remote network or host entered above.

    • Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.

      Use this connection only for resources on its network

      Select this check box to prevent the connection from becoming the default route. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually is routed over the connection.

  7. To configure IPv6 settings in a VPN connection, select the IPv6 menu entry:

    IPv6 Method

    • Automatic — Choose this option to use IPv6 Stateless Address AutoConfiguration (SLAAC) to create an automatic, stateless configuration based on the hardware address and Router Advertisements (RA).
    • Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
    • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
    • Manual — Choose this option if you want to assign IP addresses manually.

    • DisableIPv6 is disabled for this connection.

      Note that DNS, Routes, Use this connection only for resources on its network are common to IPv4 settings.

  8. Once you have finished editing the VPN connection, click the Add button to customize the configuration or the Apply button to save it for the existing one.
  9. Switch the profile to ON to active the VPN connection.

Additional resources

  • nm-settings-libreswan(5)

7.2. Configuring a VPN connection using nm-connection-editor

If you use Red Hat Enterprise Linux with a graphical interface, you can configure a VPN connection in the nm-connection-editor application.

Prerequisites

  • The NetworkManager-libreswan-gnome package is installed.

  • If you configure an Internet Key Exchange version 2 (IKEv2) connection:

    • The certificate is imported into the IPsec network security services (NSS) database.
    • The nickname of the certificate in the NSS database is known.

Procedure

  1. Open a terminal, and enter: 

    $ nm-connection-editor
  2. Click the + button to add a new connection.
  3. Select the IPsec based VPN connection type, and click Create.

  4. On the VPN tab:

    1. Enter the host name or IP address of the VPN gateway into the Gateway field, and select an authentication type. Based on the authentication type, you must enter different additional information:

      • IKEv2 (Certifiate) authenticates the client by using a certificate, which is more secure. This setting requires the nickname of the certificate in the IPsec NSS database

      • IKEv1 (XAUTH) authenticates the user by using a user name and password (pre-shared key). This setting requires that you enter the following values:

        • User name
        • Password
        • Group name
        • Secret

    2. If the remote server specifies a local identifier for the IKE exchange, enter the exact string in the Remote ID field. In the remote server runs Libreswan, this value is set in the server’s leftid parameter.

      nm connection editor vpn tab

    3. Optionally, configure additional settings by clicking the Advanced button. You can configure the following settings:

      • Identification

        • Domain — If required, enter the domain name.

      • Security

        • Phase1 Algorithms corresponds to the ike Libreswan parameter. Enter the algorithms to be used to authenticate and set up an encrypted channel.

        • Phase2 Algorithms corresponds to the esp Libreswan parameter. Enter the algorithms to be used for the IPsec negotiations.

          Check the Disable PFS field to turn off Perfect Forward Secrecy (PFS) to ensure compatibility with old servers that do not support PFS.

        • Phase1 Lifetime corresponds to the ikelifetime Libreswan parameter. This parameter defines how long the key used to encrypt the traffic is valid.
        • Phase2 Lifetime corresponds to the salifetime Libreswan parameter. This parameter defines how long a security association is valid.

      • Connectivity

        • Remote network corresponds to the rightsubnet Libreswan parameter and defines the destination private remote network that should be reached through the VPN.

          Check the narrowing field to enable narrowing. Note that it is only effective in the IKEv2 negotiation.

        • Enable fragmentation corresponds to the fragmentation Libreswan parameter and defines whether or not to allow IKE fragmentation. Valid values are yes (default) or no.
        • Enable Mobike corresponds to the mobike Libreswan parameter. The parameter defines whether to allow Mobility and Multihoming Protocol (MOBIKE) (RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless or mobile data connections. The values are no (default) or yes.

  5. On the IPv4 Settings tab, select the IP assignment method and, optionally, set additional static addresses, DNS servers, search domains, and routes.

    IPsec IPv4 tab

  6. Save the connection.
  7. Close nm-connection-editor.
Note

When you add a new connection by clicking the + button, NetworkManager creates a new configuration file for that connection and then opens the same dialog that is used for editing an existing connection. The difference between these dialogs is that an existing connection profile has a Details menu entry.

Additional resources

  • nm-settings-libreswan(5) man page

7.3. Configuring automatic detection and usage of ESP hardware offload to accelerate an IPsec connection

Offloading Encapsulating Security Payload (ESP) to the hardware accelerates IPsec connections over Ethernet. By default, Libreswan detects if hardware supports this feature and, as a result, enables ESP hardware offload. In case that the feature was disabled or explicitly enabled, you can switch back to automatic detection.

Prerequisites

  • The network card supports ESP hardware offload.
  • The network driver supports ESP hardware offload.
  • The IPsec connection is configured and works.

Procedure

  1. Edit the Libreswan configuration file in the /etc/ipsec.d/ directory of the connection that should use automatic detection of ESP hardware offload support.
  2. Ensure the nic-offload parameter is not set in the connection’s settings.

  3. If you removed nic-offload, restart the ipsec service: 

    # systemctl restart ipsec

Verification

If the network card supports ESP hardware offload support, following these steps to verify the result:

  1. Display the tx_ipsec and rx_ipsec counters of the Ethernet device the IPsec connection uses: 

    # ethtool -S enp1s0 | egrep "_ipsec"
     tx_ipsec: 10
     rx_ipsec: 10

  2. Send traffic through the IPsec tunnel. For example, ping a remote IP address: 

    # ping -c 5 remote_ip_address

  3. Display the tx_ipsec and rx_ipsec counters of the Ethernet device again: 

    # ethtool -S enp1s0 | egrep "_ipsec"
     tx_ipsec: 15
     rx_ipsec: 15

    If the counter values have increased, ESP hardware offload works.

Additional resources

7.4. Configuring ESP hardware offload on a bond to accelerate an IPsec connection

Offloading Encapsulating Security Payload (ESP) to the hardware accelerates IPsec connections. If you use a network bond for fail-over reasons, the requirements and the procedure to configure ESP hardware offload are different from those using a regular Ethernet device. For example, in this scenario, you enable the offload support on the bond, and the kernel applies the settings to the ports of the bond.

Prerequisites

  • All network cards in the bond support ESP hardware offload.
  • The network driver supports ESP hardware offload on a bond device. In RHEL, only the ixgbe driver supports this feature.
  • The bond is configured and works.
  • The bond uses the active-backup mode. The bonding driver does not support any other modes for this feature.
  • The IPsec connection is configured and works.

Procedure

  1. Enable ESP hardware offload support on the network bond: 

    # nmcli connection modify bond0 ethtool.feature-esp-hw-offload on

    This command enables ESP hardware offload support on the bond0 connection.

  2. Reactivate the bond0 connection: 

    # nmcli connection up bond0

  3. Edit the Libreswan configuration file in the /etc/ipsec.d/ directory of the connection that should use ESP hardware offload, and append the nic-offload=yes statement to the connection entry: 

    conn example
    ...
    nic-offload=yes

  4. Restart the ipsec service: 

    # systemctl restart ipsec

Verification

  1. Display the active port of the bond: 

    # grep "Currently Active Slave" /proc/net/bonding/bond0
Currently Active Slave: enp1s0

  2. Display the tx_ipsec and rx_ipsec counters of the active port: 

    # ethtool -S enp1s0 | egrep "_ipsec"
     tx_ipsec: 10
     rx_ipsec: 10

  3. Send traffic through the IPsec tunnel. For example, ping a remote IP address: 

    # ping -c 5 remote_ip_address

  4. Display the tx_ipsec and rx_ipsec counters of the active port again: 

    # ethtool -S enp1s0 | egrep "_ipsec"
     tx_ipsec: 15
     rx_ipsec: 15

    If the counter values have increased, ESP hardware offload works.

Additional resources

7.5. Configuring an IPsec based VPN connection by using nmstatectl

IPsec (Internet Protocol Security) is a security protocol suite, provided by Libreswan, for implementation of VPN. IPsec includes protocols to initiate authentication at the time of connection establishment and manage keys during the data transfer. When an application deploys in a network and communicates by using the IP protocol, IPsec can protect data communication.

To manage an IPsec-based configuration for authenticating VPN connections, you can use the nmstatectl utility. This utility provides command line access to a declarative API for host network management. The following are the authentication types for the host-to-subnet and host-to-host communication modes:

  • Host-to-subnet PKI authentication
  • Host-to-subnet RSA authentication
  • Host-to-subnet PSK authentication
  • Host-to-host tunnel mode authentication
  • Host-to-host transport mode authentication

7.5.1. Configuring a host-to-subnet IPSec VPN with PKI authentication and tunnel mode by using nmstatectl

If you want to use encryption based on the trusted entity authentication in IPsec, Public Key Infrastructure (PKI) provides secure communication by using cryptographic keys between two hosts. Both communicating hosts generate private and public keys where each host maintains a private key by sharing public key with the trusted entity Certificate Authority (CA). The CA generates a digital certificate after verifying the authenticity. In case of encryption and decryption, the host uses a private key for encryption and public key for decryption.

By using Nmstate, a declarative API for network management, you can configure a PKI authentication-based IPsec connection. After setting the configuration, the Nmstate API ensures that the result matches with the configuration file. If anything fails, nmstate automatically rolls back the changes to avoid an incorrect state of the system.

To establish encrypted communication in host-to-subnet configuration, remote IPsec end provides another IP to host by using parameter dhcp: true. In the case of defining systems for IPsec in nmstate, the left-named system is the local host while the right-named system is the remote host. The following procedure needs to run on both hosts.

Prerequisites

  • By using a password, you have generated a PKCS #12 file that stores certificates and cryptographic keys.

Procedure

  1. Install the required packages: 

    # dnf install nmstate libreswan NetworkManager-libreswan

  2. Restart the NetworkManager service: 

    # systemctl restart NetworkManager

  3. As Libreswan was already installed, remove its old database files and re-create them: 

    # systemctl stop ipsec
# rm /etc/ipsec.d/*db
# ipsec initnss

  4. Enable and start the ipsec service: 

    # systemctl enable --now ipsec

  5. Import the PKCS#12 file: 

    # ipsec import node-example.p12

    When importing the PKCS#12 file, enter the password that was used to create the file.

  6. Create a YAML file, for example ~/create-pki-authentication.yml, with the following content: 

    ---
interfaces:
- name: 'example_ipsec_conn1'            1
  type: ipsec
  ipv4:
    enabled: true
    dhcp: true
  libreswan:
    ipsec-interface: 'yes'               2
    left: '192.0.2.250'                  3
    leftid: '%fromcert'                  4
    leftcert: 'local-host.example.com'   5
    right: '192.0.2.150'                 6
    rightid: '%fromcert'                 7
    ikev2: 'insist'                      8
    ikelifetime: '24h'                   9
    salifetime: '24h'                    10

    The YAML file defines the following settings:

    1
    An IPsec connection name
    2
    The value yes means libreswan creates an IPsec xfrm virtual interface ipsec<number> and automatically finds the next available number
    3
    A static IPv4 address of public network interface for a local host
    4
    On a local host, the value of %fromcert sets the ID to a Distinguished Name (DN) that is fetched from a loaded certificate
    5
    A Distinguished Name (DN) of a local host’s public key
    6
    A static IPv4 address of public network interface for a remote host
    7
    On a remote host, the value of %fromcert sets the ID to a Distinguished Name (DN) that is fetched from a loaded certificate.
    8
    insist value accepts and receives only the Internet Key Exchange (IKEv2) protocol
    9
    The duration of IKE protocol
    10
    The duration of IPsec security association (SA)

  7. Apply settings to the system: 

    # nmstatectl apply ~/create-pki-authentication.yml

Verification

  1. Verify IPsec status: 

    # ip xfrm status

  2. Verify IPsec policies: 

    # ip xfrm policy

Additional resources

  • ipsec.conf(5) man page

7.5.2. Configuring a host-to-subnet IPSec VPN with RSA authentication and tunnel mode by using nmstatectl

If you want to use asymmetric cryptography-based key authentication in IPsec, the RSA algorithm provides secure communication by using either of private and public keys for encryption and decryption between two hosts. This method uses a private key for encryption, and a public key for decryption.

By using Nmstate, a declarative API for network management, you can configure RSA-based IPsec authentication. After setting the configuration, the Nmstate API ensures that the result matches with the configuration file. If anything fails, nmstate automatically rolls back the changes to avoid an incorrect state of the system.

To establish encrypted communication in host-to-subnet configuration, remote IPsec end provides another IP to host by using parameter dhcp: true. In the case of defining systems for IPsec in nmstate, the left-named system is the local host while the right-named system is the remote host. The following procedure needs to run on both hosts.

Procedure

  1. Install the required packages: 

    # dnf install nmstate libreswan NetworkManager-libreswan

  2. Restart the NetworkManager service: 

    # systemctl restart NetworkManager

  3. If Libreswan was already installed, remove its old database files and re-create them: 

    # systemctl stop ipsec
# rm /etc/ipsec.d/*db
# ipsec initnss

  4. Generate a RSA key pair on each host: 

    # ipsec newhostkey --output

  5. Display the public keys: 

    # ipsec showhostkey --list

  6. The previous step returned the generated key ckaid. Use that ckaid with the following command on left, for example: 

    # ipsec showhostkey --left --ckaid <0sAwEAAesFfVZqFzRA9F>

  7. The output of the previous command generated the leftrsasigkey= line required for the configuration. Do the same on the second host (right): 

    # ipsec showhostkey --right --ckaid <0sAwEAAesFfVZqFzRA9E>

  8. Enable the ipsec service to automatically start it on boot: 

    # systemctl enable --now ipsec

  9. Create a YAML file, for example ~/create-rsa-authentication.yml, with the following content: 

    ---
interfaces:
- name: 'example_ipsec_conn1'               1
  type: ipsec                               2
  ipv4:
    enabled: true
    dhcp: true
  libreswan:
    ipsec-interface: '99'                   3
    leftrsasigkey: '0sAwEAAesFfVZqFzRA9F'   4
    left: '192.0.2.250'                     5
    leftid: 'local-host-rsa.example.com'    6
    right: '192.0.2.150'                    7
    rightrsasigkey: '0sAwEAAesFfVZqFzRA9E'  8
    rightid: 'remote-host-rsa.example.com'  9
    ikev2: 'insist'                         10

    The YAML file defines the following settings:

    1
    An IPsec connection name
    2
    An interface name
    3
    The value 99 means that libreswan creates an IPsec xfrm virtual interface ipsec<number> and automatically finds the next available number
    4
    The RSA public key of a local host
    5
    A static IPv4 address of public network interface of a local host
    6
    A Distinguished Name (DN) for a local host
    7
    The RSA public key of a remote host
    8
    A static IPv4 address of public network interface of a remote host
    9
    A Distinguished Name(DN) for a remote host
    10
    insist value accepts and receives only the Internet Key Exchange (IKEv2) protocol

  10. Apply the settings to the system: 

    # nmstatectl apply ~/create-rsa-authentication.yml

Verification

  1. Display the IP settings of the network interface: 

    # ip addr show example_ipsec_conn1

  2. Verify IPsec status: 

    # ip xfrm status

  3. Verify IPsec policies: 

    # ip xfrm policy

Additional resources

  • ipsec.conf(5) man page

7.5.3. Configuring a host-to-subnet IPSec VPN with PSK authentication and tunnel mode by using nmstatectl

If you want to use encryption based on mutual authentication in IPsec, the Pre-Shared Key (PSK) method provides secure communication by using a secret key between two hosts. A file stores the secret key and the same key encrypts the data flowing through the tunnel.

By using Nmstate, a declarative API for network management, you can configure PSK-based IPsec authentication. After setting the configuration, the Nmstate API ensures that the result matches with the configuration file. If anything fails, nmstate automatically rolls back the changes to avoid incorrect state of the system.

To establish encrypted communication in host-to-subnet configuration, remote IPsec end provides another IP to host by using parameter dhcp: true. In the case of defining systems for IPsec in nmstate, the left-named system is the local host while the right-named system is the remote host. The following procedure needs to run on both hosts.

Note

As this method uses static strings for authentication and encryption, use it only for testing/development purposes.

Procedure

  1. Install the required packages: 

    # dnf install nmstate libreswan NetworkManager-libreswan

  2. Restart the NetworkManager service: 

    # systemctl restart NetworkManager

  3. If Libreswan was already installed, remove its old database files and re-create them: 

    # systemctl stop ipsec
# rm /etc/ipsec.d/*db
# ipsec initnss

  4. Enable the ipsec service to automatically start it on boot: 

    # systemctl enable --now ipsec

  5. Create a YAML file, for example ~/create-pks-authentication.yml, with the following content: 

    ---
interfaces:
- name: 'example_ipsec_conn1'           1
  type: ipsec
  ipv4:
    enabled: true
    dhcp: true
  libreswan:
    ipsec-interface: 'no'               2
    right: '192.0.2.250'                3
    rightid: 'remote-host.example.org'  4
    left: '192.0.2.150'                 5
    leftid: 'local-host.example.org'    6
    psk: "example_password"
    ikev2: 'insist'                     7

    The YAML file defines the following settings:

    1
    An IPsec connection name
    2
    Setting no value indicates that libreswan creates only xfrm policies, and not a virtual xfrm interface
    3
    A static IPv4 address of public network interface of a remote host
    4
    A Distinguished Name (DN) for a remote host
    5
    A static IPv4 address of public network interface of a local host
    6
    A Distinguished Name (DN) for a local host
    7
    insist value accepts and receives only the Internet Key Exchange (IKEv2) protocol

  6. Apply the settings to the system: 

    # nmstatectl apply ~/create-pks-authentication.yml

Verification

  1. Display the IP settings of network interface: 

    # ip addr show example_ipsec_conn1

  2. Verify IPsec status: 

    # ip xfrm status

  3. Verify IPsec policies: 

    # ip xfrm policy

7.5.4. Configuring a host-to-host IPsec VPN with PKI authentication and tunnel mode by using nmstatectl

IPsec (Internet Protocol Security) is a security protocol suite to authenticate and encrypt IP communications within networks and devices. The Libreswan software provides an IPsec implementation for VPNs.

In tunnel mode, the source and destination IP address of communication is encrypted in the IPsec tunnel. External network sniffers can only get left IP and right IP. In general, for tunnel mode, it supports host-to-host, host-to-subnet, and subnet-to-subnet. In this mode, a new IP packet encapsulates an existing packet along with its payload and header. Encapsulation in this mode protects IP data, source, and destination headers over an unsecure network. This mode is useful to transfer data in subnet-to-subnet, remote access connections, and untrusted networks, such as open public Wi-Fi networks. By default, IPsec establishes a secure channel between two sites in tunnel mode. With the following configuration, you can establish a VPN connection as a host-to-host architecture.

By using Nmstate, a declarative API for network management, you can configure an IPsec VPN connection. After setting the configuration, the Nmstate API ensures that the result matches with the configuration file. If anything fails, nmstate automatically rolls back the changes to avoid incorrect state of the system.

In host-to-host configuration, you need to set leftmodecfgclient: no so that it can’t receive network configuration from the server, hence the value no. In the case of defining systems for IPsec in nmstate, the left-named system is the local host while the right-named system is the remote host. The following procedure needs to run on both hosts.

Prerequisites

  • By using a password, you have generated a PKCS #12 file that stores certificates and cryptographic keys.

Procedure

  1. Install the required packages: 

    # dnf install nmstate libreswan NetworkManager-libreswan

  2. Restart the NetworkManager service: 

    # systemctl restart NetworkManager

  3. As Libreswan was already installed, remove its old database files and re-create them: 

    # systemctl stop ipsec
# rm /etc/ipsec.d/*db
# ipsec initnss

  4. Import the PKCS#12 file: 

    # ipsec import node-example.p12

    When importing the PKCS#12 file, enter the password that was used to generate the file.

  5. Enable and start the ipsec service: 

    # systemctl enable --now ipsec

  6. Create a YAML file, for example ~/create-p2p-vpn-authentication.yml, with the following content: 

    ---
interfaces:
- name: 'example_ipsec_conn1'             1
  type: ipsec
  libreswan:
    left: '192.0.2.250'                   2
    leftid:  'local-host.example.com'     3
    leftcert: 'local-host.example.com'    4
    leftmodecfgclient: 'no'               5
    right: '192.0.2.150'                  6
    rightid: 'remote-host.example.com'    7
    rightsubnet: '192.0.2.150/32'         8
    ikev2: 'insist'                       9

    The YAML file defines the following settings:

    1
    An IPsec connection name
    2
    A static IPv4 address of public network interface for a local host
    3
    A distinguished Name (DN) of a local host
    4
    A certificate name installed on a local host
    5
    The value for not to retrieve client configuration from a remote host
    6
    A static IPv4 address of public network interface for a remote host
    7
    A distinguished Name (DN) of a remote host
    8
    The subnet range of a remote host - 192.0.2.150 with 32 IPv4 addresses
    9
    The value to accept and receive only the Internet Key Exchange (IKEv2) protocol

  7. Apply the settings to the system: 

    # nmstatectl apply ~/create-p2p-vpn-authentication.yml

Verification

  1. Display the created P2P policy: 

    # ip xfrm policy

  2. Verify IPsec status: 

    # ip xfrm status

Additional resources

  • ipsec.conf(5) man page

7.5.5. Configuring a host-to-host IPsec VPN with PSK authentication and transport mode by using nmstatectl

IPsec (Internet Protocol Security) is a security protocol suite to authenticate and encrypt IP communications within networks and devices. The Libreswan utility provides IPsec based implementation for VPN.

In transport mode, encryption works only for the payload of an IP packet. Also, a new IPsec header gets appended to the IP packet by keeping the original IP header as it is. Transport mode does not encrypt the source and destination IP of communication but copies them to an external IP header. Hence, encryption protects only IP data across the network. This mode is useful to transfer data in a host-to-host connection of a network. This mode is often used along with the GRE tunnel to save 20 bytes (IP header) of overheads. By default, the IPsec utility uses tunnel mode. To use transfer mode, set type: transport for host-to-host connection data transfer.

By using Nmstate, a declarative API for network management, you can configure an IPsec VPN connection. After setting the configuration, the Nmstate API ensures that the result matches with the configuration file. If anything fails, nmstate automatically rolls back the changes to avoid incorrect state of the system. To override the default tunnel mode, specify transport mode.

In the case of defining systems for IPsec in nmstate, the left-named system is the local host while the right-named system is the remote host. The following procedure needs to run on both hosts.

Prerequisites

  • By using a password, you have generated a PKCS #12 file that stores certificates and cryptographic keys.

Procedure

  1. Install the required packages: 

    # dnf install nmstate libreswan NetworkManager-libreswan

  2. Restart the NetworkManager service: 

    # systemctl restart NetworkManager

  3. As Libreswan was already installed, remove its old database files and re-create them: 

    # systemctl stop ipsec
# rm /etc/ipsec.d/*db
# ipsec initnss

  4. Import the PKCS#12 file: 

    # ipsec import node-example.p12

    When importing the PKCS#12 file, enter the password that was used to create the file.

  5. Enable and start the ipsec service: 

    # systemctl enable --now ipsec

  6. Create a YAML file, for example ~/create-p2p-transport-authentication.yml, with the following content: 

    ---
interfaces:
- name: 'example_ipsec_conn1'           1
  type: ipsec
  libreswan:
    type: 'transport'                   2
    ipsec-interface: '99'               3
    left: '192.0.2.250'                 4
    leftid: '%fromcert'                 5
    leftcert: 'local-host.example.org'  6
    right: '192.0.2.150'                7
    prefix-length: '32'                 8
    rightid: '%fromcert'                9
    ikev2: 'insist'                     10
    ikelifetime: '24h'                  11
    salifetime: '24h'                   12

    The YAML file defines the following settings:

    1
    An IPsec connection name
    2
    An IPsec mode
    3
    The value 99 means that libreswan creates an IPsec xfrm virtual interface ipsec<number> and automatically finds the next available number
    4
    A static IPv4 address of public network interface for a local host
    5
    On a local host, the value of %fromcert sets the ID to a Distinguished Name (DN) which is fetched from a loaded certificate
    6
    A Distinguished Name (DN) of a local host’s public key
    7
    A static IPv4 address of public network interface for a remote host
    8
    The subnet mask of a static IPv4 address of a local host
    9
    On a remote host, the value of %fromcert sets the ID to a Distinguished Name (DN) which is fetched from a loaded certificate
    10
    The value to accept and receive only the Internet Key Exchange (IKEv2) protocol
    11
    The duration of IKE protocol
    12
    The duration of IPsec security association (SA)

  7. Apply the settings to the system: 

    # nmstatectl apply ~/create-p2p-transport-authentication.yml

Verification

  1. Verify IPsec status: 

    # ip xfrm status

  2. Verify IPsec policies: 

    # ip xfrm policy

Additional resources

  • ipsec.conf(5) man page