IKEv2 with Libreswan
IKEv2 is defined by the Internet Engineering Task Force standard RFC 7296. It uses fixed port numbers. It is therefore easily blocked by censors. Nevertheless, it may work in some countries.
This article shows you how to create an IKEv2 server using Libreswan on CentOS 8. Note that CentOS 8 reaches end-of-life on December 31, 2021.
In the examples we give, the client is at IP address xx.xx.xx.xx, and the server is at IP address yy.yy.yy.yy. Wherever you see these
values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by
opening a browser and visiting IPchicken.com.
We will also give instructions for the example of a Windows client device.
1. Server
1.1. Install and Configure Firewall
We begin by installing a firewall and configuring it to accept packets using AH protocol and ESP protocol, plus 500/udp and 4500/udp, which will be used with clients behind Network Address Translation. We also masquerade outgoing IP addresses. Issue the commands that follow:
yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent
For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx, make that the
only IP address that will be trusted for SSH access:
firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent
1.2. Allow Forwarding
Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d:
vi /usr/lib/sysctl.d/40-ipv4-forward.conf
Insert a single line:
net.ipv4.ip_forward=1
Save the file. Make this change effective immediately.:
sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf
1.3. Install Packages
Install LibreSwan by entering the command:
yum install libreswan -y
1.4. Initialize Public Key Infrastructure
Create fresh Network Security Services databases by entering the command:
ipsec initnss
The databases cert9.db and key4.db are created in the directory /etc/ipsec.d.
1.5. Create Certificate Authority Certificate
We will create a self-signed Certificate Authority (CA) certificate with a CA basic constraints extension. Issue the certutil command that follows,
replacing Example CA and Example with your own choices for values:
certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 120 -d sql:/etc/ipsec.d -t "CT,," -2
When prompted, generate randomness by typing on your keyboard at irregular intervals. Continue typing until the progress bar gets to the end. Then you are prompted to press Enter.
When asked if this is a CA certificate, put y for yes. When asked for a path length constraint, press Enter. When asked if this is a
critical extension, put n for no.
If you want to check that your new certificate is in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.6. Create Server Certificate
Generate the server certificate with appropriate as follows. Issue the certutil command, replacing Example CA and Example
with your own choices for values. Also replace yy.yy.yy.yy by your server’s actual IP address.
certutil -S -c "Example CA" -n "yy.yy.yy.yy" -s "O=Example,CN=yy.yy.yy.yy" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "yy.yy.yy.yy"
Again, a random seed must be generated for the creation of your key. Do some random typing until the process meter is full. Then you are prompted to press Enter.
When you are asked about the usage, enter 0 for digital signature, then 2 for key encipherment, then anything else to end. When asked if
this is a critical extension, enter n for no.
When you are asked about the extended key usage, enter 0 for server authentication, 1 for client authentication, then anything else to
end. When asked if this is a critical extension, enter n for no.
Again, if you want to check that your server certificate is also in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.7. Create Client Certificate
Generate the client certificate, similar to the way you generated the server certificate. In the following example, replace Example CA,
win10, example.com, and Example by your own values:
certutil -S -c "Example CA" -n "win10.example.com" -s "O=Example,CN=win10.example.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
"win10.example.com"
Again, a random seed must be generated that will be used in the creation of your key. Do some random typing until the bar reaches the end. Then press Enter.
When you are asked about the usage, enter 0 for digital signature, then 2 for key encipherment, then anything else to end. When asked if
this is a critical extension, enter n for no.
When you are asked about the extended key usage, enter 0 for server authentication, 1 for client authentication, then anything else to
end. When asked if this is a critical extension, enter n for no.
Repeat this process if you have multiple clients, giving each one a different name instead of the win10 we put in our examples.
If you want to see all the certificates you have put in the database, issue the command:
certutil -L -d sql:/etc/ipsec.d
1.8. Configure Libreswan
Create a new file for IKEv2 connections with machine certificate authenticaton:
vi /etc/ipsec.d/ikev2-machine.conf
Insert a configuration like this. Replace yy.yy.yy.yy by your server’s IP address. Also replace any other values, for example the virtual IP address
pool or the DNS servers.
conn ikev2-machine
left=yy.yy.yy.yy
leftcert=yy.yy.yy.yy
leftid=@yy.yy.yy.yy
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=10.0.8.64-10.0.8.127
rightca=%same
rightrsasigkey=%cert
modecfgdns="8.8.8.8,8.8.4.4"
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
Save the file.
1.9. Start Libreswan
Start Libreswan after every reboot, and also start it now:
systemctl enable ipsec
systemctl start ipsec
1.10. Check Libreswan
Check that Libreswan is active and running:
systemctl status ipsec
1.11. Create Client P12 File
Many types of client prefer a P12 file over separate certificate and key files. A P12 file follows the Public Key Cryptography Standard #12 format, and include keys and certificates in one file.
Create a P12 file like this. Replace win10 and example.com by your choices:
pk12util -n "win10.example.com" -d sql:/etc/ipsec.d -o ~/win10.p12
For higher security, protect the P12 file with a password when prompted. Anyone importing the P12 file into a client device will need to know this password.
Your work on the server side of things is done now, so exit your SSH session with the server:
exit
1.12. Securely Download Certificates
The easiest way to securely download certificates to your device(s) is to first download them to a workstation on your LAN, where they will be behind a firewall, then transfer them from the workstation to your final clients.
To download to a Linux workstation, go to your workstation and use the scp command. For example:
scp root@yy.yy.yy.yy:win10.p12 ~/Downloads/win10.p12
To download to a Windows workstation, you can use the pscp.exe command that comes with PuTTY. Here is a sample command that you would enter into a Windows Command
Prompt:
"C:\Program Files\PuTTY\pscp.exe" root@yy.yy.yy.yy:win10.p12 Downloads\win10.p12
For onward transfer to mobile devices, it is often convenient to create a secure website that presents the certificate to the final client.
2. Windows Client
2.1. Import Certificates
Use the Microsoft Management Console to import certificates from the P12 file. Press the Win+r keys, type mmc, then
press Enter. Do File, Add/Remove Snap-in, then choose Certificates. You must select
Computer Account. Import the P12 file into Personal. You will need to key in the password for the P12 file when you import it.
After import, but still in the Microsoft Management Console, cut the CA certificate (Example CA in our example), and paste it into Trusted Root
Certification Authorities.
2.2. Add VPN Connection
Add the new VPN connection in Settings > Network & Internet > VPN. The VPN provider is Windows
(built-in). The Connection name is (for example) win10. The Server name or address in our example is yy.yy.yy.yy. The VPN type is
IKEv2. The Type of sign-in info is Certificate.
2.3. Set Authentication Method to Machine Certificate
Once you have added the new connection, check that the authentication method is set to machine certificate. For example, if you named the connection
win10, then open PowerShell and issue the command:
Get-VpnConnection -Name "win10"
If necessary, set the authentication method to machine certificate:
Set-VpnConnection -Name "win10" -AuthenticationMethod "MachineCertificate"
2.4. Enable MODP2048 in Registry
Now edit the registry to allow use of modp2048. Press the Win+r keys, type regedit, then press
Enter. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services >
Rasman > Parameters. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256. The value is 1,
which means enable AES-256-CBC and MODP-2048.
2.5. Route Traffic through VPN
Route all traffic through your VPN connection as follows. Open the Control Panel > Network and Internet > Network and Sharing Center. Click Change adapter settings. Select your IKEv2 interface. Right-click, and select Properties. Go to the Networking tab. Select the row for Internet Protocol Version 4 (TCP/IPv4). Click Properties. Click Advanced. Check the box for Use default gateway on remote network.
2.6. Connect
Now you can connect your client to your server from Settings > Network & Internet > VPN.
3. Get Help and Report Issues
For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.
Updated 2021-06-17