IKEv2 with Libreswan
IKEv2 is defined by the Internet Engineering Task Force standard RFC 7296. It uses fixed port numbers. It is therefore easily blocked by censors. Nevertheless, it may work in some countries.
This article shows you how to create an IKEv2 server using Libreswan on CentOS 8. Note that CentOS 8 reaches end-of-life on December 31, 2021.
In the examples we give, the client is at IP address xx.xx.xx.xx
, and the server is at IP address yy.yy.yy.yy
. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.
We will also give instructions for the example of a Windows client device.
1. Server
1.1. Install and Configure Firewall
We begin by installing a firewall and configuring it to accept packets using AH protocol and ESP protocol, plus 500/udp and 4500/udp, which will be used with clients behind Network Address Translation. We also masquerade outgoing IP addresses. Issue the commands that follow:
yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent
For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx
, make that the only IP address that will be trusted for SSH access:
firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent
1.2. Allow Forwarding
Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d
:
vi /usr/lib/sysctl.d/40-ipv4-forward.conf
Insert a single line:
net.ipv4.ip_forward=1
Save the file. Make this change effective immediately.:
sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf
1.3. Install Packages
Install LibreSwan by entering the command:
yum install libreswan -y
1.4. Initialize Public Key Infrastructure
Create fresh Network Security Services databases by entering the command:
ipsec initnss
The databases cert9.db
and key4.db
are created in the directory /etc/ipsec.d
.
1.5. Create Certificate Authority Certificate
We will create a self-signed Certificate Authority (CA) certificate with a CA basic constraints extension. Issue the certutil
command that follows, replacing Example CA
and Example
with your own choices for values:
certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 120 -d sql:/etc/ipsec.d -t "CT,," -2
When prompted, generate randomness by typing on your keyboard at irregular intervals. Continue typing until the progress bar gets to the end. Then you are prompted to press Enter.
When asked if this is a CA certificate, put y
for yes. When asked for a path length constraint, press Enter. When asked if this is a critical extension, put n
for no.
If you want to check that your new certificate is in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.6. Create Server Certificate
Generate the server certificate with appropriate as follows. Issue the certutil
command, replacing Example CA
and Example
with your own choices for values. Also replace yy.yy.yy.yy
by your server’s actual IP address.
certutil -S -c "Example CA" -n "yy.yy.yy.yy" -s "O=Example,CN=yy.yy.yy.yy" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "yy.yy.yy.yy"
Again, a random seed must be generated for the creation of your key. Do some random typing until the process meter is full. Then you are prompted to press Enter.
When you are asked about the usage, enter 0
for digital signature, then 2
for key encipherment, then anything else to end. When asked if this is a critical extension, enter n
for no.
When you are asked about the extended key usage, enter 0
for server authentication, 1
for client authentication, then anything else to end. When asked if this is a critical extension, enter n
for no.
Again, if you want to check that your server certificate is also in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.7. Create Client Certificate
Generate the client certificate, similar to the way you generated the server certificate. In the following example, replace Example CA
, win10
, example.com
, and Example
by your own values:
certutil -S -c "Example CA" -n "win10.example.com" -s "O=Example,CN=win10.example.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "win10.example.com"
Again, a random seed must be generated that will be used in the creation of your key. Do some random typing until the bar reaches the end. Then press Enter.
When you are asked about the usage, enter 0
for digital signature, then 2
for key encipherment, then anything else to end. When asked if this is a critical extension, enter n
for no.
When you are asked about the extended key usage, enter 0
for server authentication, 1
for client authentication, then anything else to end. When asked if this is a critical extension, enter n
for no.
Repeat this process if you have multiple clients, giving each one a different name instead of the win10
we put in our examples.
If you want to see all the certificates you have put in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.8. Configure Libreswan
Create a new file for IKEv2 connections with machine certificate authenticaton:
vi /etc/ipsec.d/ikev2-machine.conf
Insert a configuration like this. Replace yy.yy.yy.yy
by your server’s IP address. Also replace any other values, for example the virtual IP address pool or the DNS servers.
conn ikev2-machine left=yy.yy.yy.yy leftcert=yy.yy.yy.yy [email protected] leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightaddresspool=10.0.8.64-10.0.8.127 rightca=%same rightrsasigkey=%cert modecfgdns="8.8.8.8,8.8.4.4" narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no fragmentation=yes
Save the file.
1.9. Start Libreswan
Start Libreswan after every reboot, and also start it now:
systemctl enable ipsec
systemctl start ipsec
1.10. Check Libreswan
Check that Libreswan is active and running:
systemctl status ipsec
1.11. Create Client P12 File
Many types of client prefer a P12 file over separate certificate and key files. A P12 file follows the Public Key Cryptography Standard #12 format, and include keys and certificates in one file.
Create a P12 file like this. Replace win10
and example.com
by your choices:
pk12util -n "win10.example.com" -d sql:/etc/ipsec.d -o ~/win10.p12
For higher security, protect the P12 file with a password when prompted. Anyone importing the P12 file into a client device will need to know this password.
Your work on the server side of things is done now, so exit your SSH session with the server:
exit
1.12. Securely Download Certificates
The easiest way to securely download certificates to your device(s) is to first download them to a workstation on your LAN, where they will be behind a firewall, then transfer them from the workstation to your final clients.
To download to a Linux workstation, go to your workstation and use the scp
command. For example:
scp [email protected]:win10.p12 ~/Downloads/win10.p12
To download to a Windows workstation, you can use the pscp.exe
command that comes with PuTTY. Here is a sample command that you would enter into a Windows Command Prompt:
"C:\Program Files\PuTTY\pscp.exe" [email protected]:win10.p12 Downloads\win10.p12
For onward transfer to mobile devices, it is often convenient to create a secure website that presents the certificate to the final client.
2. Windows Client
2.1. Import Certificates
Use the Microsoft Management Console to import certificates from the P12 file. Press the Win+r keys, type mmc
, then press Enter. Do File, Add/Remove Snap-in, then choose Certificates. You must select Computer Account. Import the P12 file into Personal. You will need to key in the password for the P12 file when you import it.
After import, but still in the Microsoft Management Console, cut the CA certificate (Example CA
in our example), and paste it into Trusted Root Certification Authorities.
2.2. Add VPN Connection
Add the new VPN connection in Settings > Network & Internet > VPN. The VPN provider is Windows (built-in). The Connection name is (for example) win10
. The Server name or address in our example is yy.yy.yy.yy
. The VPN type is IKEv2. The Type of sign-in info is Certificate.
2.3. Set Authentication Method to Machine Certificate
Once you have added the new connection, check that the authentication method is set to machine certificate. For example, if you named the connection win10
, then open PowerShell and issue the command:
Get-VpnConnection -Name "win10"
If necessary, set the authentication method to machine certificate:
Set-VpnConnection -Name "win10" -AuthenticationMethod "MachineCertificate"
2.4. Enable MODP2048 in Registry
Now edit the registry to allow use of modp2048
. Press the Win+r keys, type regedit
, then press Enter. Navigate to HKEY_LOCAL_MACHINE
> SYSTEM
> CurrentControlSet
> Services
> Rasman
> Parameters
. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256
. The value is 1
, which means enable AES-256-CBC and MODP-2048.
2.5. Route Traffic through VPN
Route all traffic through your VPN connection as follows. Open the Control Panel > Network and Internet > Network and Sharing Center. Click Change adapter settings. Select your IKEv2 interface. Right-click, and select Properties. Go to the Networking tab. Select the row for Internet Protocol Version 4 (TCP/IPv4). Click Properties. Click Advanced. Check the box for Use default gateway on remote network.
2.6. Connect
Now you can connect your client to your server from Settings > Network & Internet > VPN.
3. Get Help and Report Issues
For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.
Updated 2021-06-17