IPsec with Libreswan

On Android, this arrangement is called IPsec XAUTH PSK. On iOS, it is simply IPsec. The arrangement uses fixed port numbers and is therefore easily blocked by censors. Nevertheless, there may be situations where ease-of-use is your top priority. Many client devices support IPsec without the installation of additional software.

This article shows you how to create an IPsec server on CentOS 8. In the examples, your workstation is at IP address xx.xx.xx.xx, and the server is at IP address yy.yy.yy.yy. Wherever you see these values in the examples, you will need to change them to match your actual IP addresses. If you do not know your workstation’s IP address, you can determine it by opening a browser and visiting IPchicken.com.

We also give instructions for a sample mobile client. Mobile devices are easily tracked and strongly linked to an individual. Again, we assume in this scenario that ease-of-use is your main concern and that you are in a country where IPsec is not blocked.

1. Server

1.1. Install and Configure Firewall

We begin by installing a firewall and configuring it to accept IPsec. We also masquerade outgoing IP addresses. Issue the commands that follow:

yum update -y
yum install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-service=ipsec
firewall-cmd --add-masquerade
firewall-cmd --runtime-to-permanent

For better security, restrict port 22 access to trusted IP addresses only. For example, if you always log in from IP address xx.xx.xx.xx, make that the only IP address that will be trusted for SSH access:

firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-source=xx.xx.xx.xx/32
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-service=cockpit
firewall-cmd --runtime-to-permanent

1.2. Allow Forwarding

Now enable packet forwarding in the Linux kernel. Create a new configuration file in /usr/lib/sysctl.d:

vi /usr/lib/sysctl.d/40-ipv4-forward.conf

Insert a single line:

net.ipv4.ip_forward=1

Save the file. Make this change effective immediately.:

sysctl -p /usr/lib/sysctl.d/40-ipv4-forward.conf

1.3. Install Package

Install Libreswan from the repository:

yum install libreswan -y

1.4. Set Up Preshared Key

Edit the IPsec secrets file:

vi /etc/ipsec.d/psk.secrets

Insert a line with your preshared key. We will use as an example a preshared key of ArnieBooksCello:

%any: PSK "ArnieBooksCello"

Save the file.

1.5. Set Up Usernames and Passwords

Suppose we have three users, alice, bob, and carol. Their passwords are Apple123, Bravo456, and Caper789 respectively.

Compute the SHA512 hash of the first password:

openssl passwd -6 Apple123

The result is displayed as $6$/X60NLa1wFgWDYIC$PYsPW.lsCALxSgRi0NmKcLVJPY.tPZwRZIs9OoYy3o/KimObc9GKkVfkpzhaA/jxM15eW.F6AcFqYdElsuJoO..

Compute the SHA512 hash of the second password:

openssl passwd -6 Bravo456

The result is displayed as $6$U7Z3b.871AFnz6M8$lUB18T5gwQS/yPxjPqeNbUNCWpDsCHxmRNZy6dURpEc6cteX8NwBSB4HboNMTer/a642XadEv.T3ses8c33Y3/.

Compute the SHA512 hash of the third password:

openssl passwd -6 Caper789

The result is displayed as $6$hbiPDOhJPoEBpAN2$IsKhAZvKLMuuICDafbkW5STmsBhC7HuWNZwmJ/l2z7CzcQbZNoie5i0ye5Lpusz43JEbhQR9.jR6In1yWyw1N0.

Create a password file:

vi /etc/ipsec.d/passwd

Insert usernames and passwords like this:

alice:$6$/X60NLa1wFgWDYIC$PYsPW.lsCALxSgRi0NmKcLVJPY.tPZwRZIs9OoYy3o/KimObc9GKkVfkpzhaA/jxM15eW.F6AcFqYdElsuJoO.:xauth-psk
bob:$6$U7Z3b.871AFnz6M8$lUB18T5gwQS/yPxjPqeNbUNCWpDsCHxmRNZy6dURpEc6cteX8NwBSB4HboNMTer/a642XadEv.T3ses8c33Y3/:xauth-psk
carol:$6$hbiPDOhJPoEBpAN2$IsKhAZvKLMuuICDafbkW5STmsBhC7HuWNZwmJ/l2z7CzcQbZNoie5i0ye5Lpusz43JEbhQR9.jR6In1yWyw1N0:xauth-psk

Save the file.

1.6. Configure Libreswan

Create a new file for IPsec connections with a preshared key:

vi /etc/ipsec.d/ipsec.conf

Insert lines specifying a configuration like this:

config setup
    protostack=netkey
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    uniqueids=no

conn xauth-psk
    authby=secret
    pfs=no
    auto=add
    rekey=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    rightaddresspool=10.0.8.64-10.0.8.127
    right=%any
    cisco-unity=yes
    modecfgdns=8.8.8.8
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=file
    ike-frag=yes
    ikev2=no
    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024
    esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1

Save the file.

1.7. Start Libreswan

Start Libreswan after every reboot, and also start it now:

systemctl enable ipsec
systemctl start ipsec

1.8. Check Libreswan

Check that Libreswan is active and running:

systemctl status ipsec

2. Android Client

The place where you add a VPN in Android varies from release to release. It may be under Settings > Network & Internet > Advanced > VPN or it may be under Settings > Connections > More networks > VPN.

Add a new VPN:

Click Save. Select the VPN, and click Connect.

3. iOS Client

Go to Settings > General > VPN.

Add a new VPN configurration:

Click Done. Select the VPN, and toggle it to the ON position.

4. Get Help and Report Issues

For your client device in general, seek support through the normal channels for that device. For Libreswan in particular, support arrangements are listed in the Libreswan wiki.