IKEv2 with Libreswan

IKEv2 is defined by the Internet Engineering Task Force standard RFC 7296. It uses fixed port numbers. It is therefore easily blocked by censors. Nevertheless, it may work in some countries.

This article shows you how to create an IKEv2 server using Libreswan on CentOS 8. In the examples we give, the client is at IP address xx.xx.xx.xx, and the server is at IP address yy.yy.yy.yy. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.

We will also give instructions for the example of a Windows client device.

1. Server

1.1. Install and Configure Firewall

We begin by installing a firewall and configuring it to accept packets using AH protocol and ESP protocol, plus 500/udp and 4500/udp, which will be used with clients behind Network Address Translation. We also masquerade outgoing IP addresses. Issue the commands that follow:

yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent

For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx, make that the only IP address that will be trusted for SSH access:

firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent

1.2. Allow Forwarding

Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d:

vi /usr/lib/sysctl.d/40-ipv4-forward.conf

Insert a single line:

net.ipv4.ip_forward=1

Save the file. Make this change effective immediately.:

sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf

1.3. Install Packages

Install LibreSwan by entering the command:

yum install libreswan -y

1.4. Initialize Public Key Infrastructure

Create fresh Network Security Services databases by entering the command:

ipsec initnss

The databases cert9.db and key4.db are created in the directory /etc/ipsec.d.

1.5. Create Certificate Authority Certificate

We will create a self-signed Certificate Authority (CA) certificate with a CA basic constraints extension. Issue the certutil command that follows, replacing Example CA and Example with your own choices for values:

certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 120 -d sql:/etc/ipsec.d -t "CT,," -2

When prompted, generate randomness by typing on your keyboard at irregular intervals. Continue typing until the progress bar gets to the end. Then you are prompted to press Enter.

When asked if this is a CA certificate, put y for yes. When asked for a path length constraint, press Enter. When asked if this is a critical extension, put n for no.

If you want to check that your new certificate is in the database, issue the command:

certutil -L -d sql:/etc/ipsec.d

1.6. Create Server Certificate

Generate the server certificate with appropriate as follows. Issue the certutil command, replacing Example CA and Example with your own choices for values. Also replace yy.yy.yy.yy by your server’s actual IP address.

certutil -S -c "Example CA" -n "yy.yy.yy.yy" -s "O=Example,CN=yy.yy.yy.yy" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "yy.yy.yy.yy"

Again, a random seed must be generated for the creation of your key. Do some random typing until the process meter is full. Then you are prompted to press Enter.

When you are asked about the usage, enter 0 for digital signature, then 2 for key encipherment, then anything else to end. When asked if this is a critical extension, enter n for no.

When you are asked about the extended key usage, enter 0 for server authentication, 1 for client authentication, then anything else to end. When asked if this is a critical extension, enter n for no.

Again, if you want to check that your server certificate is also in the database, issue the command:

certutil -L -d sql:/etc/ipsec.d

1.7. Create Client Certificate

Generate the client certificate, similar to the way you generated the server certificate. In the following example, replace Example CA, win10, example.com, and Example by your own values:

certutil -S -c "Example CA" -n "win10.example.com" -s "O=Example,CN=win10.example.com" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "win10.example.com"

Again, a random seed must be generated that will be used in the creation of your key. Do some random typing until the bar reaches the end. Then press Enter.

When you are asked about the usage, enter 0 for digital signature, then 2 for key encipherment, then anything else to end. When asked if this is a critical extension, enter n for no.

When you are asked about the extended key usage, enter 0 for server authentication, 1 for client authentication, then anything else to end. When asked if this is a critical extension, enter n for no.

Repeat this process if you have multiple clients, giving each one a different name instead of the win10 we put in our examples.

If you want to see all the certificates you have put in the database, issue the command:

certutil -L -d sql:/etc/ipsec.d

1.8. Configure Libreswan

Create a new file for IKEv2 connections with machine certificate authenticaton:

vi /etc/ipsec.d/ikev2-machine.conf

Insert a configuration like this. Replace yy.yy.yy.yy by your server’s IP address. Also replace any other values, for example the virtual IP address pool or the DNS servers.

conn ikev2-machine
    left=yy.yy.yy.yy
    leftcert=yy.yy.yy.yy
    leftid=@yy.yy.yy.yy
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=10.0.8.64-10.0.8.127
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns="8.8.8.8,8.8.4.4"
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes

Save the file.

1.9. Start Libreswan

Start Libreswan after every reboot, and also start it now:

systemctl enable ipsec
systemctl start ipsec

1.10. Check Libreswan

Check that Libreswan is active and running:

systemctl status ipsec

1.11. Create Client P12 File

Many types of client prefer a P12 file over separate certificate and key files. A P12 file follows the Public Key Cryptography Standard #12 format, and include keys and certificates in one file.

Create a P12 file like this. Replace win10 and example.com by your choices:

pk12util -n "win10.example.com" -d sql:/etc/ipsec.d -o ~/win10.p12

For higher security, protect the P12 file with a password when prompted. Anyone importing the P12 file into a client device will need to know this password.

Your work on the server side of things is done now, so exit your SSH session with the server:

exit

1.12. Securely Download Certificates

The easiest way to securely download certificates to your device(s) is to first download them to a workstation on your LAN, where they will be behind a firewall, then transfer them from the workstation to your final clients.

To download to a Linux workstation, go to your workstation and use the scp command. For example:

scp root@yy.yy.yy.yy:win10.p12 ~/Downloads/win10.p12

To download to a Windows workstation, you can use the pscp.exe command that comes with PuTTY. Here is a sample command that you would enter into a Windows Command Prompt:

"C:\Program Files\PuTTY\pscp.exe" root@yy.yy.yy.yy:win10.p12 Downloads\win10.p12

For onward transfer to mobile devices, it is often convenient to create a secure website that presents the certificate to the final client.

2. Windows Client

2.1. Import Certificates

Use the Microsoft Management Console to import certificates from the P12 file. Press the Win+r keys, type mmc, then press Enter. Do File, Add/Remove Snap-in, then choose Certificates. You must select Computer Account. Import the P12 file into Personal. You will need to key in the password for the P12 file when you import it.

After import, but still in the Microsoft Management Console, cut the CA certificate (Example CA in our example), and paste it into Trusted Root Certification Authorities.

2.2. Add VPN Connection

Add the new VPN connection in Settings > Network & Internet > VPN. The VPN provider is Windows (built-in). The Connection name is (for example) win10. The Server name or address in our example is yy.yy.yy.yy. The VPN type is IKEv2. The Type of sign-in info is Certificate.

2.3. Set Authentication Method to Machine Certificate

Once you have added the new connection, check that the authentication method is set to machine certificate. For example, if you named the connection win10, then open PowerShell and issue the command:

Get-VpnConnection -Name "win10"

If necessary, set the authentication method to machine certificate:

Set-VpnConnection -Name "win10" -AuthenticationMethod "MachineCertificate"

2.4. Enable MODP2048 in Registry

Now edit the registry to allow use of modp2048. Press the Win+r keys, type regedit, then press Enter. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Rasman > Parameters. Insert a new DWORD (32-bit value). The name is NegotiateDH2048_AES256. The value is 1, which means enable AES-256-CBC and MODP-2048.

2.5. Route Traffic through VPN

Route all traffic through your VPN connection as follows. Open the Control Panel > Network and Internet > Network and Sharing Center. Click Change adapter settings. Select your IKEv2 interface. Right-click, and select Properties. Go to the Networking tab. Select the row for Internet Protocol Version 4 (TCP/IPv4). Click Properties. Click Advanced. Check the box for Use default gateway on remote network.

2.6. Connect

Now you can connect your client to your server from Settings > Network & Internet > VPN.

3. Get Help and Report Issues

For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.