How to Configure Host-to-Host IPSec VPN Between AIX and LINUX : The strongSwan Way
Author : Rajya Lakshmi Marathu , Software Engineer Test , IBM India Software Labs
The Internet Protocol Security (IPSec) is a group protocols for securing connections between two devices. IPSec is an open standard security technology developed by the Internet Engineering Task Force (IETF) that provides authentication, confidentiality and integrity.
IPSec is widely used in creating virtual private networks (VPNs). It can be used
- Between two hosts to create a host-to-host VPN
- Between two gateways to create a site-to-site VPN
- Between a firewall and a host to create remote access VPN
IBM AIX supports IPSec VPN with heterogeneous platforms like LINUX and Windows.
strongSwan vs Libreswan
strongSwan and Libreswan are both open-source implementations of IPSec protocol on Linux which helps to provide confidentiality, integrity and authentication. Both strongSwan and Libreswan are available as ready to use packages on Linux.
| strongSwan |
Libreswan |
| Available through EPEL on Red Hat Linux |
Default IPSec implementation on Red Hat Linux |
| Very comprehensive and well maintained documentation |
Less community support compared to Libreswan |
| Support for weak cipher suites for backward compatibility |
Does not support weak cipher suites |
| Support for EAP authentication methods |
Does not support EAP authentication methods |
| strongSwan is bit complicated to use |
Libreswan is simple and easy to use |
| Modular design makes it easy for automation |
The ipsec configuration design is not great for automation |
Both strongSwan and Libreswan provide IPSec functionality. You need to look at both the options and consider which one has the most community support, whether it is supported by your preferred operating system or which one has a specific features satisfying your needs.
This tutorial focuses on creating a host-to-host IPSec VPN tunnels between AIX and Red Hat Linux using strongSwan. The test environment that will be used in this tutorial includes AIX 73 and RHEL 9. You can also create IPSec tunnels with Libreswan, another IPSec implementation on Linux
Configuring IPSec on Linux using strongSwan
Pre-requisites
- Register your Red Hat Linux (RHEL) so that you can manage it from your central Red Hat account and useful to install important software updates.
Verify all the necessary repositories are enabled
# dnf repolist
Updating Subscription Management repositories.
repo id repo name
rhel-9-for-ppc64le-appstream-rpms Red Hat Enterprise Linux 9 for Power, little endian - AppStream (RPMs)
rhel-9-for-ppc64le-baseos-rpms Red Hat Enterprise Linux 9 for Power, little endian - BaseOS (RPMs)
rhel-9-for-ppc64le-supplementary-rpms Red Hat Enterprise Linux 9 for Power, little endian - Supplementary (RPMs)
Install EPEL Repository
To install strongSwan, first you need to install EPEL and then install strongSwan. CodeReady Linux Builder need to be enabled for installing EPEL repository.
Step1: Enable the CodeReady Linux Builder repository with subscription manager
subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
# subscription-manager repos --enable codeready-builder-for-rhel-9-ppc64le-rpms
Repository 'codeready-builder-for-rhel-9-ppc64le-rpms' is enabled for this system.
Step2: Install EPEL RPM
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
Step3: verify EPEL is installed
# dnf repolist
Updating Subscription Management repositories.
repo id repo name
codeready-builder-for-rhel-9-ppc64le-rpms Red Hat CodeReady Linux Builder for RHEL 9 Power, little endian (RPMs)
epel Extra Packages for Enterprise Linux 9 - ppc64le
epel-cisco-openh264 Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - ppc64le
rhel-9-for-ppc64le-appstream-rpms Red Hat Enterprise Linux 9 for Power, little endian - AppStream (RPMs)
rhel-9-for-ppc64le-baseos-rpms Red Hat Enterprise Linux 9 for Power, little endian - BaseOS (RPMs)
rhel-9-for-ppc64le-supplementary-rpms Red Hat Enterprise Linux 9 for Power, little endian - Supplementary (RPMs)
Install strongSwan
Install strongSwan and verify the version of strongSwan installed
# dnf install strongswan
# strongswan version
Linux strongSwan U5.9.10/K5.14.0-427.13.1.el9_4.ppc64le
University of Applied Sciences Rapperswil, Switzerland
Configure the firewall to allow ports 500 and 4500/UDP for IKE, ESP and AH protocols by adding the ipsec service
# firewall-cmd --permanent --add-port=80/tcp
success
# sudo firewall-cmd --permanent --add-port=500/udp
success
# sudo firewall-cmd --permanent --add-port=4500/udp
success
Start the strongswan service and enable it to automatically start at system boot
# systemctl status strongswan
# systemctl start strongswan
# systemctl enable strongswan
# systemctl status strongswan
Configuring IPSec on AIX
You can use smitty to configure and load IPSec modules when IP security is started. To enable IPSec on AIX perform the following steps
# smitty ipsec4 -> Start/Stop IP Security -> Start IP Security -> Start IP Security (Now and After Reboot) -> Press Enter
Start IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no] +
Check the state of IPSec devices. Both ipsec_v4 and ipsec_v6 should be available
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
Start the IPSec daemons and verify they are started successfully
# startsrc -g ike
0513-059 The cpsd Subsystem has been started. Subsystem PID is 13042008.
0513-059 The tmd Subsystem has been started. Subsystem PID is 10486110.
0513-059 The iked Subsystem has been started. Subsystem PID is 7864584.
# lssrc -g ike
Subsystem Group PID Status
cpsd ike 13042008 active
tmd ike 10486110 active
iked ike 7864584 active
Configuring IPSec Tunnels Between AIX and Linux
The IPSEC implementation on AIX supports the following authentication methods to enable secure connection between the two endpoints
- Pre-Shared Key Authentication(PSK): This method requires both parties to exchange a text based secret passphrase. The keys must be long and random enough to be secure
- Certificate Based Authentication(RSA): This method requires establishing identify for an IPSec VPN using digital certificates. Certificate authentication is more secure than PSK
To create IPSec tunnels between AIX and Linux we need to first prepare the configuration files.The configuration files used to create IPSec tunnels in AIX are in xml format. All the IPSec configuration parameters are updated in the xml file including the IP addresses of the end points, authentication and encryption methods etc.
The configuration file swanctl.conf is used to create IPSec tunnels in Linux is located under /etc/strongswan/swanctl. The swanctl.conf file contains all the information useful to create IPSec tunnels including connections, secrets, pools, certificate authorities etc.
You need to prepare the configuration files ready on both AIX and Linux and then create tunnels between the endpoints
Create IPSec Tunnels with Pre-Shared Key Authentication (PSK)
The steps below describe how to configure IPSec tunnels with PSK between AIX and Linux.
The test environment used to create PSK tunnels :
AIX 73 : 19.19.19.1
RHEL 9: 19.19.19.2
The following is the sample xml file on AIX. Save this as ibm-strongswan-psk-aix.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.1">
<IKEProtection
IKE_Flags_UseCRL="No"
IKE_KeyOverlap="50"
IKE_ProtectionName="P1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMaxMinutes="480"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMinMinutes="1"
IKE_Role="Both"
IKE_Version="2"
IKE_XCHGMode="None">
<IKETransform
IKE_Encryption="AES-CBC-256"/>
<IKETransform
IKE_PRF="PRF_HMAC_SHA1"/>
<IKETransform
IKE_Hash="SHA"/>
<IKETransform
IKE_DHGroup="14"/>
<IKETransform
IKE_AuthenticationMethod="Preshared_key"/>
<IKETransform
IKE_KeyRefreshMinutes="480"/>
</IKEProtection>
<IKETunnel
IKE_Flags_AutoStart="No"
IKE_Flags_MakeRuleWithOptionalIP="No"
IKE_ProtectionRef="P1Pol"
IKE_TunnelName="P1">
<IKELocalIdentity>
<IPV4_Address
Value="19.19.19.1"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address
Value="19.19.19.2"/>
</IKERemoteIdentity>
</IKETunnel>
<IKEPresharedKey
Format="ASCII"
Value="12345678910abcedf">
<IKEPresharedRemoteID>
<PK_IPV4_Address
Value="19.19.19.2"/>
</IKEPresharedRemoteID>
</IKEPresharedKey>
<IPSecProposal
IPSec_ProposalName="P2Prop">
<IPSecESPProtocol
ESP_Authentication="HMAC-SHA"
ESP_EncapsulationMode="Transport"
ESP_Encryption="ESP_AES_128"
ESP_ExtendedSeqNum="0"
ESP_KeyRefreshKB="512"
ESP_KeyRefreshMinutes="2"/>
</IPSecProposal>
<IPSecProtection
IPSec_Flags_UseCommitBit="No"
IPSec_Flags_UseLifeSize="No"
IPSec_InitiatorDHGroup="0"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="P2Prop "
IPSec_ProtectionName="P2Pol"
IPSec_ResponderDHGroup="NO_PFS"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMinMinutes="1"
IPSec_Role="Both"/>
<IPSecTunnel
IKE_TunnelName="P1"
IPSec_Flags_AutoStart="No"
IPSec_Flags_OnDemand="No"
IPSec_ProtectionRef="P2Pol"
IPSec_TunnelName="P2">
<IPSecLocalIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="19.19.19.1"
To_IPAddr="19.19.19.1"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="19.19.19.2"
To_IPAddr="19.19.19.2"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
Before uploading the xml file into IKE database remove any existing data from the database using the command ikedb -x.
Verify the database is cleaned using the command ikedb -g
# ikedb -x
P1_ITD database created successfully
P2_ITD database created successfully
P1_PREKEY database created successfully
PROPOSAL_LIST database created successfully
PROPOSAL database created successfully
POLICY database created successfully
GROUP database created successfully
NDBM:/etc/ipsec/inet/DB/privkey
# ikedb -g
<?xml version="1.0"?>
<AIX_VPN
Version="2.1"/>
Upload the xml file into IKE database
# ikedb -p ibm-strongswan-psk-aix.xml
Let's move on setting up the configuration files on Linux now. strongSwan deprecated the ipsec.conf format of configuration files long time ago and moved to using the /etc/strongswan/swanctl/swanctl.conf file which is shown below for reference. Copy the content shown below to your corresponding config files on Linux
The file "/etc/strongswan/swanctl/swanctl.conf" for reference
include conf.d/*.conf
connections {
tun1 {
version = 2
proposals = aes256-sha-modp2048
fragmentation = no
local_addrs = 19.19.19.2
remote_addrs = 19.19.19.1
local {
auth = psk
}
remote {
auth = psk
}
children {
tun1 {
esp_proposals = aes128-sha
mode = transport
}
}
}
}
secrets {
ike-local {
id = 19.19.19.2
secret = 12345678910abcedf
}
ike-remote {
id = 19.19.19.1
secret = 12345678910abcedf
}
}
Start the IPSec services on both AIX and Linux. Whenever there is a change in /etc/strongswan/swanctl/swanctl.conf on Linux, daemons should be restarted
On AIX, stop the services, verify the services are moved to inoperative, start the services and verify all the services are in active state
# stopsrc -g ike
0513-044 The cpsd Subsystem was requested to stop.
0513-044 The tmd Subsystem was requested to stop.
0513-044 The iked Subsystem was requested to stop.
# lssrc -g ike
Subsystem Group PID Status
cpsd ike inoperative
tmd ike inoperative
iked ike inoperative
# startsrc -g ike
0513-059 The cpsd Subsystem has been started. Subsystem PID is 13042012.
0513-059 The tmd Subsystem has been started. Subsystem PID is 7864588.
0513-059 The iked Subsystem has been started. Subsystem PID is 9044406.
# lssrc -g ike
Subsystem Group PID Status
cpsd ike 13042012 active
tmd ike 7864588 active
iked ike 9044406 active
On Linux, restart the ipsec services
# systemctl restart strongswan
# systemctl status strongswan
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; preset: disabled)
Active: active (running) since Sat 2024-11-23 03:31:23 EST; 6s ago
Process: 40515 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status>
Main PID: 40487 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.10, Linux 5.14.0-427.13.1.el9_4.ppc64le,>
Tasks: 17 (limit: 17732)
Memory: 19.6M
CPU: 47ms
CGroup: /system.slice/strongswan.service
└─40487 /usr/sbin/charon-systemd
On AIX, activate the tunnels using ike cmd=activate. Verify the tunnels are active using ike cmd=list
You can use ike cmd=list verbose ; lstun -a commands to verify verbose output and tunnel definitions
# ike cmd=activate
Phase 2 tunnel 1 activate request initiated.
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active 19.19.19.1 19.19.19.2
2 1 Active 19.19.19.1-19.19.19.1 19.19.19.2-19.19.19.2
On Linux, verify the tunnels are active. Use swanctl cli to check the status.
Check more information about swanctl here : swanctl tool
# swanctl --list-conns
plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available
tun1: IKEv2, no reauthentication, rekeying every 14400s
local: 19.19.19.2
remote: 19.19.19.1
local pre-shared key authentication:
remote pre-shared key authentication:
tun1: TRANSPORT, rekeying every 3600s
local: dynamic
remote: dynamic
# swanctl --list-sas
plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available
tun1: #1, ESTABLISHED, IKEv2, ab1379cae015a6a2_i 7924786d7441c5a8_r*
local '19.19.19.2' @ 19.19.19.2[500]
remote '19.19.19.1' @ 19.19.19.1[500]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 28s ago, rekeying in 14123s
tun1: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
installed 28s ago, rekeying in 3337s, expires in 3932s
in c66f4d24, 0 bytes, 0 packets
out 6c3d3ee6, 0 bytes, 0 packets
local 19.19.19.2/32
remote 19.19.19.1/32
Create IPSec Tunnels with Digital Certificates (RSA)
To create IPSec tunnels using RSA we must generate certificates first. For this tutorial, GSKit will be used to create certificates on AIX and then we use openssl on AIX to extract the certificates and private keys to a format that works on Linux. You can also use pki tool to generate certificates.
In strongSwan all the required CA certificates are stored in the directory /etc/strongswan/swanctl/x509ca either in binary DER or in Base64 PEM format. The endpoint certificates and private keys are stored in /etc/strongswan/swanctl/x509 and /etc/strongswan/swanctl/private. On AIX, the certificates and private keys are stored in /etc/security directory in kdb format.
Pre-requisites:
Step1 : Create an empty CMS keystore for Root CA. Then create certificate and private key for Root CA. Make this certificate as ca=true. This enables this certificate to sign all other certificates. Extract the certificate to rootCA_pub.arm
# mkdir /GSK_CERTS ; cd /GSK_CERTS
# gsk8capicmd -keydb -create -db /GSK_CERTS/rootCA.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -create -db /GSK_CERTS/rootCA.kdb -pw 123456 -size 2048 -dn "C=IN,O=IBM,CN=ipsecroot" -label Root_CA -default_cert yes -ca true
# gsk8capicmd -cert -extract -db /GSK_CERTS/rootCA.kdb -stashed -label Root_CA -format ascii -target rootCA_Pub.arm
Step2: Create an empty keystore for certicates for use on AIX. Add the Root CA to this database and use this to sign the certificate that can be used on AIX and receive the certificate in the keystore. Copy the keystore to /etc/security in AIX
# gsk8capicmd -keydb -create -db /GSK_CERTS/ikekey.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -add -db /GSK_CERTS/ikekey.kdb -stashed -label Root_CA -file rootCA_Pub.arm -format ascii -trust enable
# gsk8capicmd -certreq -create -db /GSK_CERTS/ikekey.kdb -pw 123456 -label Test_Cert2 -dn "C=IN,ST=KA,L=BA,O=IBM,OU=ISL,CN=test2" -size 2048 -file /GSK_CERTS/cert2_csr.arm
# gsk8capicmd -cert -sign -db /GSK_CERTS/rootCA.kdb -pw 123456 -label Root_CA -target /GSK_CERTS/Test_Cert2.cer -format ascii -expire 100 -file /GSK_CERTS/cert2_csr.arm -sigalg SHA256_WITH_RSA
# gsk8capicmd -cert -receive -file /GSK_CERTS/Test_Cert2.cer -db /GSK_CERTS/ikekey.kdb -pw 123456 -type cms -format ascii
# /usr/bin/mv /GSK_CERTS/ikekey* /etc/security
Step3: Create an empty keystore for certicates for use on Linux. Add the Root CA to this database and use this to sign the certificate that can be used on Linux and receive the certificate in the keystore. Convert the certificate into P12 format that works on Linux
# gsk8capicmd -keydb -create -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -stash -v1stash
# gsk8capicmd -cert -add -db /GSK_CERTS/R1ikekey.kdb -stashed -label Root_CA -file rootCA_Pub.arm -format ascii -trust enable
# gsk8capicmd -certreq -create -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -label Test_Cert1 -dn "C=IN,ST=KA,L=BA,O=IBM,OU=ISL,CN=test1" -size 2048 -file /GSK_CERTS/cert1_csr.arm
# gsk8capicmd -cert -sign -db /GSK_CERTS/rootCA.kdb -pw 123456 -label Root_CA -target /GSK_CERTS/Test_Cert1.cer -format ascii -expire 100 -file /GSK_CERTS/cert1_csr.arm -sigalg SHA256_WITH_RSA
# gsk8capicmd -cert -receive -file /GSK_CERTS/Test_Cert1.cer -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -format ascii
Step4: Convert the RootCA and endpoint certificates into P12 format that works on Linux
# gsk8capicmd -keydb -convert -db /GSK_CERTS/rootCA.kdb -pw 123456 -type cms -new_db /GSK_CERTS/RootCA.p12 -new_pw 123456 -new_format p12 -stash -v1stash
# gsk8capicmd -keydb -convert -db /GSK_CERTS/R1ikekey.kdb -pw 123456 -type cms -new_db /GSK_CERTS/Linux.p12 -new_pw 123456 -new_format p12 -stash -v1stash
Step5: Use openssl to extract the certificates and private keys separately. Enter the password 123456 when asked.
# openssl x509 -in /GSK_CERTS/RootCA.p12 -out /GSK_CERTS/ca.crt.pem
# openssl x509 -in /GSK_CERTS/Linux.p12 -out /GSK_CERTS/linux.crt.pem
# openssl pkcs12 -in /GSK_CERTS/Linux.p12 -out /GSK_CERTS/linux.key.pem -nocerts -nodes
Step6: Copy the certificates and private keys to remote Linux machine
# copy /GSK_CERTS/ca.crt.pem to directory /etc/strongswan/swanctl/x509ca on Linux
# copy /GSK_CERTS/linux.crt.pem to directory /etc/strongswan/swanctl/x509 on Linux
# copy linux.key.pem to directory /etc/strongswan/swanctl/private on Linux
The following is the sample xml file on AIX with RSA authentication. Save this as ipsec-strongswan-cert-aix.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.1">
<IKEProtection
IKE_Flags_UseCRL="No"
IKE_KeyOverlap="10"
IKE_ProtectionName="P1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMaxMinutes="1440"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMinMinutes="60"
IKE_Role="Both"
IKE_Version="2"
IKE_XCHGMode="None">
<IKETransform
IKE_Encryption="AES-CBC-128"/>
<IKETransform
IKE_PRF="PRF_SHA2_256"/>
<IKETransform
IKE_Hash="SHA2_256"/>
<IKETransform
IKE_DHGroup="14"/>
<IKETransform
IKE_AuthenticationMethod="RSA_signatures"/>
<IKETransform
IKE_KeyRefreshMinutes="120"/>
</IKEProtection>
<IKETunnel
IKE_Flags_AutoStart="Yes"
IKE_Flags_MakeRuleWithOptionalIP="Yes"
IKE_ProtectionRef="P1Pol"
IKE_TunnelName="P1-1">
<IKELocalIdentity>
<ASN1_DN
Value="/C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2">
<IPV4_Address
Value="19.19.19.1"/>
</ASN1_DN>
</IKELocalIdentity>
<IKERemoteIdentity>
<ASN1_DN
Value="/C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test1">
<IPV4_Address
Value="19.19.19.2"/>
</ASN1_DN>
</IKERemoteIdentity>
</IKETunnel>
<IPSecProposal
IPSec_ProposalName="P2Prop">
<IPSecESPProtocol
ESP_Authentication="HMAC-SHA"
ESP_EncapsulationMode="Transport"
ESP_Encryption="ESP_AES_128"
ESP_ExtendedSeqNum="0"
ESP_KeyRefreshKB="512"
ESP_KeyRefreshMinutes="30"/>
</IPSecProposal>
<IPSecProtection
IPSec_Flags_UseCommitBit="No"
IPSec_Flags_UseLifeSize="No"
IPSec_InitiatorDHGroup="0"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="P2Prop "
IPSec_ProtectionName="P2Pol"
IPSec_ResponderDHGroup="NO_PFS"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMinMinutes="60"
IPSec_Role="Both"/>
<IPSecTunnel
IKE_TunnelName="P1-1"
IPSec_Flags_AutoStart="Yes"
IPSec_Flags_OnDemand="No"
IPSec_ProtectionRef="P2Pol"
IPSec_TunnelName="P2-1">
<IPSecLocalIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="19.19.19.1"
To_IPAddr="19.19.19.1"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity
EndPort="65535"
Port="0"
Protocol="0">
<IPV4_Address_Range
From_IPAddr="19.19.19.2"
To_IPAddr="19.19.19.2"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
The Linux configuration is /etc/strongswan/swanctl/swanctl.conf and sample configuration is shown below. Copy the contents to corresponding file on Linux
include conf.d/*.conf
connections {
tun1 {
version = 2
proposals = aes128-sha256-modp2048
fragmentation = no
local_addrs = 19.19.19.2
remote_addrs = 19.19.19.1
send_cert = always
local {
auth = pubkey
certs = linux.crt.pem
id = "C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1"
}
remote {
auth = pubkey
id = "C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test2"
}
children {
tun1 {
esp_proposals = aes128-sha
mode = transport
}
}
}
}
secrets {
private-local {
file = linux.key.pem
secret = 123456
}
}
Once the configuration files are ready, upload the xml file on AIX using ikedb command, update /etc/strongswan/swanctl/swanctl.conf on Linux.
# ikedb -x
# ikedb -g
# ikedb -p ipsec-strongswan-cert-aix.xml
Start the daemons on both AIX and Linux
# stopsrc -g ike
# lssrc -g ike
# startsrc -g ike
# lssrc -g ike
# systemctl restart strongswan
# systemctl status strongswan
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; preset>
Active: active (running) since Tue 2024-12-03 12:53:08 EST; 13s ago
Process: 52348 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=e>
Main PID: 52321 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.10, Linux 5.14.0-427.13.1.e>
Tasks: 17 (limit: 17732)
Memory: 20.9M
CPU: 63ms
CGroup: /system.slice/strongswan.service
└─52321 /usr/sbin/charon-systemd
Verify the certificates are loaded properly and listed correctly on both AIX and Linux
# gsk8capicmd -cert -list -db /etc/security/ikekey.kdb -pw 123456
Certificates found
* default, - personal, ! trusted, # secret key
! Root_CA
- Test_Cert2
# swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1"
issuer: "C=IN, O=IBM, CN=ipsecroot"
validity: not before Dec 02 11:43:59 2024, ok
not after Mar 13 12:43:59 2025, ok (expires in 99 days)
serial: 7e:a8:03:2b:fc:b1:c2:37
flags:
authkeyId: eb:f8:e9:d1:d0:e5:33:30:e3:94:13:d5:b1:09:21:aa:1a:5c:c2:db
subjkeyId: d4:28:89:05:48:07:19:85:2e:3f:c2:bf:89:fa:5d:b6:5c:a4:64:50
pubkey: RSA 2048 bits, has private key
keyid: de:f8:31:a6:40:07:31:b6:e5:94:d7:41:83:ed:0b:2b:d5:05:9a:09
subjkey: 87:7a:a8:f7:cd:95:0a:ea:5f:5b:06:b7:92:11:55:67:64:73:80:bf
List of X.509 CA Certificates
subject: "C=IN, O=IBM, CN=ipsecroot"
issuer: "C=IN, O=IBM, CN=ipsecroot"
validity: not before Dec 02 11:41:10 2024, ok
not after Dec 03 11:41:10 2025, ok (expires in 364 days)
serial: 4f:68:84:a1:2d:b3:ec:f6
flags: CA self-signed
authkeyId: eb:f8:e9:d1:d0:e5:33:30:e3:94:13:d5:b1:09:21:aa:1a:5c:c2:db
subjkeyId: eb:f8:e9:d1:d0:e5:33:30:e3:94:13:d5:b1:09:21:aa:1a:5c:c2:db
pubkey: RSA 2048 bits
keyid: 8e:d3:9b:c8:33:8d:88:18:50:cd:93:c9:d9:31:52:80:36:66:08:6e
subjkey: 9d:60:7a:4d:42:e5:3b:95:18:8d:84:82:d3:dd:0b:cf:d8:b0:35:ce
Activate the tunnels on AIX and verify the tunnels are proper on both AIX and Linux
# ike cmd=activate
Phase 2 tunnel 1 activate request initiated.
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2 /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test1
2 1 Active 19.19.19.1-19.19.19.1 19.19.19.2-19.19.19.2
# swanctl --list-sas
tun1: #1, ESTABLISHED, IKEv2, 522707d3a57a660a_i 42e48ec5338b4e07_r*
local 'C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1' @ 19.19.19.2[500]
remote 'C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test2' @ 19.19.19.1[500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 46s ago, rekeying in 14171s
tun1: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
installed 46s ago, rekeying in 3366s, expires in 3914s
in c661572f, 0 bytes, 0 packets
out c1376bb9, 0 bytes, 0 packets
local 19.19.19.2/32
remote 19.19.19.1/32
# swanctl --list-conns
tun1: IKEv2, no reauthentication, rekeying every 14400s
local: 19.19.19.2
remote: 19.19.19.1
local public key authentication:
id: C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1
certs: C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test1
remote public key authentication:
id: C=IN, ST=KA, L=BA, O=IBM, OU=ISL, CN=test2
tun1: TRANSPORT, rekeying every 3600s
local: dynamic
remote: dynamic
Conclusion
This article shows detailed instructions to create a host-to-host IPSec PSK and RSA tunnels between AIX and Linux using strongSwan.
References