Configure IPSec VPN Between AIX and LINUX Using Libreswan: A Step-By-Step Guide
Author : Rajya Lakshmi Marathu , Software Engineer Test , IBM India Software Labs
The Internet Protocol Security (IPSec) is a suite of network protocols that enable secure communication between two devices over IP networks. IPSec is an open standard security technology developed by the Internet Engineering Task Force (IETF) that provides authentication, confidentiality and integrity.
IPSec is widely used in creating virtual private networks (VPNs). It can be used
- Between two gateways to create a site-to-site VPN
- Between two hosts to create a host-to-host VPN
- Between a firewall and a host to create remote access VPN
IBM AIX is the proprietary leading enterprise class operating system designed to run on IBM Power Severs providing secure, scalable, and robust infrastructure solutions for enterprises. AIX supports IPSec VPN with heterogeneous platforms like LINUX and Windows.
This tutorial focuses on creating IPSec VPN tunnels between AIX and Red Hat Linux using Libreswan.
Libreswan - An Overview
Libreswan is an opensource software implementation of the most widely supported and standardized VPN protocol using IPsec and the Internet Key Exchange (IKE). These standards are produced and maintained by the Internet Engineering Task Force (IETF). Libreswan is the default IPSec implementation on Red Hat Linux and is the preferred IPSec method for creating VPN tunnels on Linux.
Configuring IPSec on Linux using Libreswan
Pre-requisites
Register your Red Hat Linux (RHEL) so that you can manage it from your central Red Hat account and useful to install important software updates.
- The App stream repository is enabled
Verify all the necessary repositories are enabled
# dnf repolist
Updating Subscription Management repositories.
repo id repo name
rhel-9-for-ppc64le-appstream-rpms Red Hat Enterprise Linux 9 for Power, little endian - AppStream (RPMs)
rhel-9-for-ppc64le-baseos-rpms Red Hat Enterprise Linux 9 for Power, little endian - BaseOS (RPMs)
rhel-9-for-ppc64le-supplementary-rpms Red Hat Enterprise Linux 9 for Power, little endian - Supplementary (RPMs)
Install Libreswan Packages
Libreswan is the default IPSec implementation of Linux and can be installed using the package manager
# dnf install libreswan
Verify the version of Libreswan installed
# ipsec version
Libreswan 4.12
Configure the firewall to allow ports 500 and 4500/UDP for IKE, ESP and AH protocols by adding the ipsec service
# firewall-cmd --add-service="ipsec"
success
# firewall-cmd --runtime-to-permanent
success
Start the IPSec services and enable the IPSec service to be automatically started on reboot
# ipsec status
whack: Pluto is not running (no "/run/pluto/pluto.ctl")
# systemctl enable ipsec --now
Created symlink /etc/systemd/system/multi-user.target.wants/ipsec.service → /usr/lib/systemd/system/ipsec.service.
# ipsec start
Redirecting to: systemctl start ipsec.service
Create the NSS database. It is needed to store certificates and private keys for RSA. Remove the certificate database if already exists
# ipsec stop
# rm -rf /var/lib/ipsec/nss/*.db
# ipsec initnss
Configuring IPSec on AIX
You can use smitty to configure and load IPSec modules when IP security is started. To enable IPSec on AIX perform the following steps
# smitty ipsec4 -> Start/Stop IP Security -> Start IP Security -> Start IP Security (Now and After Reboot) -> Press Enter
Start IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no] +
Check the state of IPSec devices. Both ipsec_v4 and ipsec_v6 should be available
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
Start the IPSec daemons and verify they are started successfully
# startsrc -g ike
0513-059 The cpsd Subsystem has been started. Subsystem PID is 8847860.
0513-059 The tmd Subsystem has been started. Subsystem PID is 8913240.
0513-059 The iked Subsystem has been started. Subsystem PID is 8126800.
# lssrc -g ike
Subsystem Group PID Status
cpsd ike 8847860 active
tmd ike 8913240 active
iked ike 8126800 active
Configuring IPSec Tunnels Between AIX and Linux
The IPSEC implementation on AIX supports the following authentication methods to enable secure connection between the two endpoints
- Pre-Shared Key Authentication(PSK): This method requires both parties to exchange a text based secret passphrase. The keys must be long and random enough to be secure
- Certificate Based Authentication(RSA): This method requires establishing identify for an IPSec VPN using digital certificates. Certificate authentication is more secure than PSK
To create IPSec tunnels between AIX and Linux we need to first prepare the configuration files.The configuration files used to create IPSec tunnels in AIX are in xml format. All the IPSec configuration parameters are updated in the xml file including the IP addresses of the end points, authentication and encryption methods etc. The configuration files /etc/ipsec.conf and /etc/ipsec.secrets include all the information needed for IPSec on Linux. You need to prepare the configuration files ready on both AIX and Linux.
Create IPSec Tunnels with Pre-Shared Key Authentication (PSK)
The test environment used to create PSK tunnels :
AIX 73 : 51.51.51.1
RHEL 9: 51.51.51.2
The steps below describe how to configure IPSec tunnels with PSK between AIX and Linux.
The following is the sample xml file on AIX. Save this as ipsec-libreswan-aix.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.1">
<IKEProtection
IKE_Flags_UseCRL="No"
IKE_KeyOverlap="50"
IKE_ProtectionName="P1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMaxMinutes="480"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMinMinutes="1"
IKE_Role="Both"
IKE_Version="2"
IKE_XCHGMode="None">
<IKETransform
IKE_Encryption="AES-CBC-128"/>
<IKETransform
IKE_PRF="PRF_HMAC_SHA1"/>
<IKETransform
IKE_Hash="SHA"/>
<IKETransform
IKE_DHGroup="20"/>
<IKETransform
IKE_AuthenticationMethod="Preshared_key"/>
<IKETransform
IKE_KeyRefreshMinutes="480"/>
</IKEProtection>
<IKETunnel
IKE_Flags_AutoStart="No"
IKE_Flags_MakeRuleWithOptionalIP="No"
IKE_ProtectionRef="P1Pol"
IKE_TunnelName="P1">
<IKELocalIdentity>
<IPV4_Address
Value="51.51.51.1"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address
Value="51.51.51.2"/>
</IKERemoteIdentity>
</IKETunnel>
<IKEPresharedKey
Format="ASCII"
Value="12345678910abcedf">
<IKEPresharedRemoteID>
<PK_IPV4_Address
Value="51.51.51.2"/>
</IKEPresharedRemoteID>
</IKEPresharedKey>
<IPSecProposal
IPSec_ProposalName="P2Prop">
<IPSecESPProtocol
ESP_Authentication="HMAC-SHA"
ESP_EncapsulationMode="Transport"
ESP_Encryption="ESP_AES_128"
ESP_ExtendedSeqNum="0"
ESP_KeyRefreshKB="512"
ESP_KeyRefreshMinutes="2"/>
</IPSecProposal>
<IPSecProtection
IPSec_Flags_UseCommitBit="No"
IPSec_Flags_UseLifeSize="No"
IPSec_InitiatorDHGroup="0"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="P2Prop "
IPSec_ProtectionName="P2Pol"
IPSec_ResponderDHGroup="NO_PFS"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMinMinutes="1"
IPSec_Role="Both"/>
<IPSecTunnel
IKE_TunnelName="P1"
IPSec_Flags_AutoStart="No"
IPSec_Flags_OnDemand="No"
IPSec_ProtectionRef="P2Pol"
IPSec_TunnelName="P2">
<IPSecLocalIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="51.51.51.1"
To_IPAddr="51.51.51.1"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="51.51.51.2"
To_IPAddr="51.51.51.2"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
Before uploading the xml file into IKE database remove any existing data from the database using the command ikedb -x.
Verify the database is cleaned using the command ikedb -g
# ikedb -x
P1_ITD database created successfully
P2_ITD database created successfully
P1_PREKEY database created successfully
PROPOSAL_LIST database created successfully
PROPOSAL database created successfully
POLICY database created successfully
GROUP database created successfully
NDBM:/etc/ipsec/inet/DB/privkey
# ikedb -g
<?xml version="1.0"?>
<AIX_VPN
Version="2.1"/>
Upload the xml file into IKE database
# ikedb -p ipsec-libreswan-aix.xml
Now, let's move on setting up the configuration files on Linux. The sample /etc/ipsec.conf and /etc/ipsec.secrets files are shown below for reference. Copy the content shown below to your corresponding config files on Linux
The file "/etc/ipsec.conf" for reference
#include /etc/ipsec.d/*.conf
config setup
logfile=/var/log/pluto.log
plutodebug=all
conn tun1
left=51.51.51.2
right=51.51.51.1
fragmentation=no
authby=secret
pfs=no
auto=add
type=transport
ikev2=insist
ike=aes-sha;dh20
phase2alg=aes128-sha1
The file "etc/ipsec.secrets" for reference
#include /etc/ipsec.d/*.secrets
51.51.51.2 51.51.51.1 : PSK "12345678910abcedf"
Start the IPSec services on both AIX and Linux. Whenever there is a change in /etc/ipsec* files on Linux, daemons should be restarted
On AIX, stop the services, verify the services are moved to inoperative, start the services and verify all the services are in active state
# stopsrc -g ike
# lssrc -g ike
# startsrc -g ike
# lssrc -g ike
Subsystem Group PID Status
cpsd ike 7864686 active
tmd ike 8126802 active
iked ike 5046676 active
On Linux, restart the ipsec services
# ipsec restart
Redirecting to: systemctl restart ipsec.service
On AIX, activate the tunnels using ike cmd=activate. Verify the tunnels are active using ike cmd=list
You can use ike cmd=list verbose ; lstun -a commands to verify verbose output and tunnel definitions
# ike cmd=activate
Phase 2 tunnel 1 activate request initiated.
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active 51.51.51.1 51.51.51.2
2 1 Active 51.51.51.1-51.51.51.1 51.51.51.2-51.51.51.2
On Linux, verify the tunnels are active
# ipsec status
Create IPSec Tunnels with Digital Certificates (RSA)
To create IPSec tunnels using certificates we must generate certificates first. For this tutorial GSKit will be used to create certificates on AIX. You can also use openssl to generate certificates.
Pre-requisites:
Step1 : Create an empty CMS keystore for Root CA. Then create certificate and private key for Root CA. Make this certificate as ca=true. This enables this certificate to sign all other certificates. Extract the certificate to rootCA_pub.arm
# mkdir /GSK_CERTS ; cd /GSK_CERTS
# gsk8capicmd -keydb -create -db /GSK_CERTS/rootCA.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -create -db /GSK_CERTS/rootCA.kdb -pw 123456 -size 2048 -dn "C=IN,O=IBM,CN=ipsecroot" -label Root_CA -default_cert yes -ca true
# gsk8capicmd -cert -extract -db /GSK_CERTS/rootCA.kdb -stashed -label Root_CA -format ascii -target rootCA_Pub.arm
Step2: Create an empty keystore for certicates for use on AIX. Add the Root CA to this database and use this to sign the certificate that can be used on AIX and receive the certificate in the keystore. Copy the keystore to /etc/security in AIX
# gsk8capicmd -keydb -create -db /GSK_CERTS/ikekey.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -add -db /GSK_CERTS/ikekey.kdb -stashed -label Root_CA -file rootCA_Pub.arm -format ascii -trust enable
# gsk8capicmd -certreq -create -db /GSK_CERTS/ikekey.kdb -pw 123456 -label Test_Cert2 -dn "C=IN,ST=KA,L=BA,O=IBM,OU=ISL,CN=test2" -size 2048 -file /GSK_CERTS/cert2_csr.arm
# gsk8capicmd -cert -sign -db /GSK_CERTS/rootCA.kdb -pw 123456 -label Root_CA -target /GSK_CERTS/Test_Cert2.cer -format ascii -expire 100 -file /GSK_CERTS/cert2_csr.arm -sigalg SHA256_WITH_RSA
# gsk8capicmd -cert -receive -file /GSK_CERTS/Test_Cert2.cer -db /GSK_CERTS/ikekey.kdb -pw 123456 -type cms -format ascii
# /usr/bin/mv /GSK_CERTS/ikekey* /etc/security
Step3: Create an empty keystore for certicates for use on Linux. Add the Root CA to this database and use this to sign the certificate that can be used on Linux and receive the certificate in the keystore. Convert the certificate into P12 format that works on Linux
# gsk8capicmd -keydb -create -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -add -db /GSK_CERTS/R1ikekey.kdb -stashed -label Root_CA -file rootCA_Pub.arm -format ascii -trust enable
# gsk8capicmd -certreq -create -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -label Test_Cert1 -dn "C=IN,ST=KA,L=BA,O=IBM,OU=ISL,CN=test1" -size 2048 -file /GSK_CERTS/cert1_csr.arm
# gsk8capicmd -cert -sign -db /GSK_CERTS/rootCA.kdb -pw 123456 -label Root_CA -target /GSK_CERTS/Test_Cert1.cer -format ascii -expire 100 -file /GSK_CERTS/cert1_csr.arm -sigalg SHA256_WITH_RSA
# gsk8capicmd -cert -receive -file /GSK_CERTS/Test_Cert1.cer -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -format ascii
# gsk8capicmd -keydb -convert -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -new_db /GSK_CERTS/LINUX1.p12 -new_pw 123456 -new_format p12 -stash -v1stash
Step4: Copy the certificate /GSK_CERTS/LINUX1.p12 to Linux and use ipsec command to import into the database. Enter password as 123456
# ipsec import LINUX1.p12
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Step5: Verify the certificates are proper on both AIX and Linux
# gsk8capicmd -cert -list -db /etc/security/ikekey.kdb -pw 123456
Certificates found
* default, - personal, ! trusted, # secret key
! Root_CA
- Test_Cert2
# certutil -L -d sql:/var/lib/ipsec/nss
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Test_Cert1 u,u,u
Root_CA CT,,
[root@fvtzep4-lp18 raji]#
The following is the sample xml file on AIX with RSA authentication. Save this as ipsec-aix-cert.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.1">
<IKEProtection
IKE_Flags_UseCRL="No"
IKE_KeyOverlap="10"
IKE_ProtectionName="P1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMaxMinutes="1440"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMinMinutes="60"
IKE_Role="Both"
IKE_Version="2"
IKE_XCHGMode="None">
<IKETransform
IKE_Encryption="AES-CBC-128"/>
<IKETransform
IKE_PRF="PRF_SHA2_256"/>
<IKETransform
IKE_Hash="SHA2_256"/>
<IKETransform
IKE_DHGroup="20"/>
<IKETransform
IKE_AuthenticationMethod="RSA_signatures"/>
<IKETransform
IKE_KeyRefreshMinutes="120"/>
</IKEProtection>
<IKETunnel
IKE_Flags_AutoStart="Yes"
IKE_Flags_MakeRuleWithOptionalIP="Yes"
IKE_ProtectionRef="P1Pol"
IKE_TunnelName="P1-1">
<IKELocalIdentity>
<ASN1_DN
Value="/C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2">
<IPV4_Address
Value="121.121.121.1"/>
</ASN1_DN>
</IKELocalIdentity>
<IKERemoteIdentity>
<ASN1_DN
Value="/C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test1">
<IPV4_Address
Value="121.121.121.2"/>
</ASN1_DN>
</IKERemoteIdentity>
</IKETunnel>
<IPSecProposal
IPSec_ProposalName="P2Prop">
<IPSecESPProtocol
ESP_Authentication="HMAC-SHA"
ESP_EncapsulationMode="Transport"
ESP_Encryption="ESP_AES_128"
ESP_ExtendedSeqNum="0"
ESP_KeyRefreshKB="512"
ESP_KeyRefreshMinutes="2"/>
</IPSecProposal>
<IPSecProtection
IPSec_Flags_UseCommitBit="No"
IPSec_Flags_UseLifeSize="No"
IPSec_InitiatorDHGroup="0"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="P2Prop "
IPSec_ProtectionName="P2Pol"
IPSec_ResponderDHGroup="NO_PFS"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMinMinutes="60"
IPSec_Role="Both"/>
<IPSecTunnel
IKE_TunnelName="P1-1"
IPSec_Flags_AutoStart="Yes"
IPSec_Flags_OnDemand="No"
IPSec_ProtectionRef="P2Pol"
IPSec_TunnelName="P2-1">
<IPSecLocalIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="121.121.121.1"
To_IPAddr="121.121.121.1"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="121.121.121.2"
To_IPAddr="121.121.121.2"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
The Linux configuration files /etc/ipsec.conf and /etc/ipsec.secrets are shown below. Copy the contents to the corresponding files on Linux
The file "/etc/ipsec.conf" for reference
The file "/etc/ipsec.secrets" for reference.
RSA "Test_Cert1"
Once the configuration files are ready, upload the xml configuration on AIX using ikedb command, update /etc/ipsec.conf and /etc/ipsec.secrets on Linux. Start the daemons on both end points and activate the tunnels on AIX using ike cmd=activate
# ike cmd=activate
Phase 2 tunnel 1 activate request initiated.
Verify the tunnels status on both AIX and Linux
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2 /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test1
2 1 Active 121.121.121.1-121.121.121.1 121.121.121.2-121.121.121.2
# ipsec status
................................
................................
000 Connection list:
000
000 "tun1": 121.121.121.2[C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1]...121.121.121.1[C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test2]; prospective erouted; eroute owner: #0
000 "tun1": oriented; my_ip=unset; their_ip=unset; mycert=Test_Cert1; my_updown=ipsec _updown;
000 "tun1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tun1": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "tun1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tun1": sec_label:unset;
000 "tun1": ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "tun1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tun1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tun1": policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tun1": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "tun1": conn_prio: 32,32; interface: env3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tun1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tun1": our idtype: ID_DER_ASN1_DN; our id=C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1; their idtype: ID_DER_ASN1_DN; their id=C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test2
000 "tun1": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "tun1": nat-traversal: encaps:auto; keepalive:20s
000 "tun1": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "tun1": IKE algorithms: AES_CBC-HMAC_SHA2_256-DH20
000 "tun1": ESP algorithms: AES_CBC_128-HMAC_SHA1_96
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000
Conclusion