Security Global Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only

Secured connection between LibreSwan and StrongSwan using different authentication mechanism

By Mohit Chitlange posted Fri December 09, 2022 07:16 AM

  

Value of cyber-attacks is increasing manifold every year, which makes network security extremely important. Specifically in case of IP links, as the communication goes through multiple networks which are beyond organisation firewall (control), it become very difficult to make sure data is secure and integrity of the data is maintained. To address this problem IETF (Internet Engineering Task Force) had came up with IPSec protocol, which helps in maintaining confidentiality, integrity, and authentication. IPSec provides majorly 2 types of authentication mechanism, first is pre shared key (PSK) based, another is certificate based. There are few opensource implementations of IPSec available amongst which popularly used are LibreSwan, StrongSwan. Interoperability between any two IPSec implementation is one of the biggest pain points. This article will help you with step-by-step procedure to create secure connection between LibreSwan and StrongSwan end point using PSK based and certificate-based authentication. Following configs are tested with RHEL 8.4 having Linux Libreswan 4.3, and another system SUSE 12 with strongSwan swanctl 5.9.1


PSK based authentication

Prerequisites

  • One end point with Libreswan installed.
  • One end point with strongSwan installed.

Configuring StrongSwan:

  1. Open “swanctl.conf” file located at /etc/strongswan/swanctl/swanctl.conf
  2. Under connection in local and remote type “auth = psk”, as shown below
local {
auth = psk
}
remote {
auth = psk
}

  1. Create “secret.conf” file, at: vi /etc/strongswan/swanctl/secret.conf

secrets {

ike-psk {
secret = "123456"
}
}

  1. Restart the strongswan service using: strongswan restart
  2. Load the new config if it is not loaded after restarting the strongswan service.
    first reloads daemon strongswan.conf using: swanctl -r
    b. then load all the available (credentials, pools authorities and connections) config using: swanctl -q
  3. Verify the loaded configuration with: swanctl -L

After establishing the connection, for the list of currently active IKE_SAs: swanctl -l

Configuring LibreSwan:

  1. Open “ipsec.conf” file: vim /etc/ipsec.conf
Add/change “authby=secret”, as shown below
conn mytunnel1
type = transport
left = <Local ip>
right = <Remote ip>
authby = secret
auto = add

  1. Add key to “ipsec.secrets” file: vim /etc/ipsec.secrets
    include /etc/ipsec.d/*.secrets

: PSK "123456"

  1. Restart the ipsec using: ipsec restart
  2. Reload the secrets with: ipsec auto --rereadsecrets
  3. Activate or up the tunnel using: ipsec auto --up mytunnel1

Certificate based authentication

Prerequisites

  • End entity certificates are available. If not follow following steps.
  • Create the certificates using the openssl utility.
  • Convert the Root CA to p12 format (optional).
    • openssl pkcs12 -export -nokeys -in cacert.pem -out pkcs12.p12

note: CA cert can be used in der or pem format.

  • Convert the End entity certificate and key of the end entity to p12 format.
    • openssl pkcs12 -export -out your_end_entity.p12-in ee_cert.pem -inkey ee_key.pem -name "Name"

Configuring strongSwan:

  1. Copy root CA cert to
    • /etc/strongswan/swanctl/x509ca/
  2. Copy End Entity cert to
    • /etc/strongswan/swanctl/x509/
  3. Copy the Private key of the End Entity cert to
    • /etc/strongswan/swanctl/private/
  4. Include the following parameters in the conf file

Connection {

send_cert = always   
local {
auth = pubkey
certs = strongswan.pem
}
remote {
auth = pubkey
}

}

  1. Restart the Service
    • strongswan restart
  2. Load the config if not loaded.
    • swanctl -q
  3. Verify the config
    • swanctl -L

Configuring Libreswan:

  1. Create NSS Database:

Ipsec initnss

Note: If it has already been created, delete it, or use it.

  1. Import Certificates in NSS Database
    • To import CA cert, there are 2 ways
      • If the certificate is available in p12 format

Ipsec import cacert.p12

  • If the certificate in a der or pem file using “certutil”
    • For DER formatted certificates use:
      certutil -A -i /path/YourCA.der -d sql:/etc/ipsec.d -n "CAname" -t 'CT,,'
    • For PEM formatted CA certificates use:
      certutil -A -a -i /path/YourCA.pem -d sql:/etc/ipsec.d -n "CAname" -t 'CT,,'
  1. Import End Entity Certificate
    • Now import the end-entity certificate NNS database

Ipsec import your_end_entity.p12

  1. To verify certificates
    • To check RSA keys of Certs
      certutil -K -d /etc/ipsec.d/
    • To check Certs
      ipsec look
  2. Add the following parameters under “conn <tunnel_name>” to add in ipsec.conf
    location: /etc/ipsec.conf
leftcert="friendly_name_of_end_entity_cert"
leftid=%fromcert
leftrsasigkey=%cert
rightid=%fromcert
rightrsasigkey=%cert
authby= rsa-sha1

  1. Restart the ipsec serviceipsec restart
  2. Add tunnel if required.
    ipsec auto --add <tunnel_name>
  3. Up the tunnel. After setting up the Strongswan side.
    ipsec auto --up <tunnel_name>

For configuration files please check the references link given below

Reference:
1. https://docs.strongswan.org/docs/5.9/config/quickstart.html

2. https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
0 comments
8 views

Permalink

https://community.ibm.com/community/user/blogs/mohit-chitlange/2022/12/09/connection-between-libreswan-and-strongswan