Install Libreswan
Before beginning, make sure packet forwarding is enabled on the Linux distribution.
To download the latest source code of Libreswan, visit the Libreswan Downloads page.
Run the following commands as root:
CODE
yum -y updateyum -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc makeyum install wget
Install Libreswan:
CODE
yum install libreswan
Start the IPsec service and enable the service to be started:
CODE
systemctl enable ipsec
Configure the firewall to allow 500 and 4500/UDP ports for the IKE, ESP, and AH protocols by adding the IPsec service:
CODE
#firewall-cmd --add-service="ipsec"# firewall-cmd --runtime-to-permanent
Initialize the NSS Database
After a new installation of Libreswan, the NSS database should be initialized as part of the installation process. Before you start a new database, remove the old database.
Use the following commands to remove the old database:
CODE
~]# systemctl stop ipsec
CODE
~]# rm /etc/ipsec.d/*db
Enable IPsec:
CODE
systemctl enable ipsec
Libreswan requires the firewall to allow the following packets: UDP port 500 and 4500 for the Internet Key Exchange (IKE) protocol. Protocol 50 for Encapsulated Security Payload (ESP) IPsec packets. Protocol 51 for Authenticated Header (AH) IPsec packets (uncommon).
Check IPsec status:
Initialize the new NSS database, run the following command as root:
CODE
~]# ipsec initnss
Create Host-to-Host VPN
- Go to the/etc/ipsec.d/ directory and create a new my_host-to-host.conf file.
Edit the file, and enter all the details shown below:
It is mandatory to maintain the gap of one tab between conn mytunnel and auto=start.
CODE
conn mytunnel auto=start keyexchange=ike phase2=esp pfs=no type=tunnel authby=secret leftid=(Domain name/ip of linux machine) left=(ip address of linux machine) right=(ip address of Windows machine) rightid=(Domain name of Windows machine)
For example, see the screenshot below:
Setting Value Connection name mytunnel leftid 10.1.0.127 (Linux machine) right 10.1.22.59 (Windows machine)
rightid Rinkitest.QA.schq.secious.com (FQDN domain name of Windows machine) Go to the /etc folder, and make the following edits in the ipsec.secrets file:
CODE
(ip adddress of linux machine)<space>( ip address of windows machine)<space> : <space>PSK<space>"Shared key which we passed for Windows machine"
Start the IPsec service:
CODE
systemctl start ipsec
Verify the tunnel is up and running:
CODE
ipsec auto --add mytunnel
If you receive any error message after running the above command, you have entered the incorrect values in either your host-to-host.conf file or your ipsec.secrets file. You will need to go back and enter the correct values.
Restart the IPsec service:
CODE
systemctl restart ipsec
You have completed configuring IPsec between Windows and Linux machines.
- You can verify that traffic is coming in properly and is encrypted by using Wireshark: