How to Configure IPsec VPN Using Libreswan

The purpose of IPsec based VPN is to encrypt traffic at the network layer of the OSI model so the attacker cannot eavesdrop between client and the VPN server. In our previous articles on strongswan which is also provides the IPsec protocol functionality on Windows, Linux and Mac OS. However, LibreSwan and OpenSwan tools are also available for the same purpose. In this tutorial, our focus is LibreSwan, which is another implementation of IPsec protocol for Unix/Linux environment. The LibreSwan has forked from the OpenSwan IPsec project and available on Hat based Linux distributions.

In this tutorial, LibreSwan will be compiled from source on the Ubuntu 16.04 LTS. The instruction for the compilation of LibreSwan for different Linux distributions are given in the ReadMe file The following snapshot shows the required packages, enable/disable of features and commands for the installation of  LibreSwan.

packages for libreswan compilation

After installation of LibreSwan, VPN will be configured in the gateway to gateway mode to encrypt the traffic. Different examples of LibreSwan configuration are given on the project website.

How to Install Libreswan

It is also assumed that packet forwarding is enabled on the Linux distribution. The following packages are required for LibreSwan compilation on Ubuntu 16.04 LTS.

apt-get -y update
apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make

The latest source code of LibreSwan can be download from the project website. The compressed file is extracted using the following command.

tar -xzf libreswan-3.19.tar.gz

Now run "make" command to get instruction for LibreSwan compilation.

make command for build process

So, run "make all " command to build the LibreSwan on Ubuntu VM. This command will generate following error that unbound header file is not found.

fatal error: unbound.h: No suh file or directory

Therefore, few more packages are also required for the LibreSwan. The following command will install development library for unbound.

apt-get install libunbound-dev

Another error due to the absence of event library will occur during compilation of LibreSwan.

fatal error: event.h: No suh file or directory

Run the following command to install the libevent package.

apt-get install libevent-dev

The install script shows another error due to missing systemd package on Ubuntu platform.

fatal error: systemd/sd-daemon.h: No suh file or directory

The installation of the required package is shown below.

apt-get install libsystemd-dev

Finally, again run "make all" or "make install" to compile and install the LibreSwan.

make all

The above command will install LibreSwan on the system. However, following error occurred while using "ipsec start" command.

/usr/local/sbin/ipsec: certutil: Not found

The following commands also gave the same error as shown below.

ipsec setup start
ipsec initnss

*(it is required to NSS library to generate the required keys)

/usr/local/sbin/ipsec: certutil: Not found
apt-get install libnss3-tools

The following command initializes the NSS crypto library which is required for LibreSwan tool.

ipsec initnss

configuring nss crypto library

Finally, successfully starting ipsec service as shown below.

ipsec setup start

command to start libreswan ipsec service

After successful installation of LibreSwan, next step is to configure VPN setting on both VM's.  In this example, a PSK based tunnel is set up to secure gateway to gateway traffic.

Side A - ipsec.conf Configuration File

[email protected]:/home/test# cat /etc/ipsec.conf
config setup
protostack=netkey
conn vpn

left=192.168.15.50
leftsubnet=10.12.50.0/24
right=192.168.15.5
rightsubnet=10.12.5.0/24
authby=secret
pfs=yes
rekey=yes
keyingtries=3
type=tunnel
auto=start
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048

ipsec.secrets

192.168.15.50 192.168.15.5: PSK "12345678asdfghjk1qwe3wqA“

Side B - ipsec.conf Configuration File

[email protected]:/home/test# cat /etc/ipsec.conf
config setup
protostack=netkey
conn vpn

left=192.168.15.50
leftsubnet=10.12.50.0/24
right=192.168.15.5
rightsubnet=10.12.5.0/24
authby=secret
pfs=yes
rekey=yes
keyingtries=3
type=tunnel
auto=start
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048

ipsec.secrets

192.168.15.5 192.168.15.50: PSK "12345678asdfghjk1qwe3wqA“

After setting above configuration run following command on both sides and ipsec negotiation process will start.

ipsec restart

Side A:

status of command on A side

Side B:

status of ipsec command on side B

The status of the ipsec vpn is also checked using the following command.

setkey -D

setkey output of ipsec vpn

Above snapshot shows 4 SA's (security associations ) established between VM's and the state of the tunnel is "mature".

Conclusion

In this tutorial, another open source IPsec implementation "LibreSwan" is successfully compiled and installed on the Ubuntu VM. It is also configured to establish gateway to gateway VPN based on the PSK between two VM. It is also observed that configuration of LibreSwan is different from the StrongSwan.

About shah

I have basic level experience in Open source tools.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.