Skip to main content

Libreswan

  • Installing the package
apt install libreswan
  • Initializing NSS and setting up password to access the DB
ipsec initnss
certutil -W -d sql:/var/lib/ipsec/nss
  • Setting up password for pluto to access the DB
touch /etc/ipsec.d/nsspassword
nano -w /etc/ipsec.d/nsspassword
NSS Certificate DB:secret
  • Enabling Libreswan
systemctl enable ipsec
systemctl status ipsec
  • Offloading the certs from MikroTik (System >> Certificates)
  • Uploading to Libreswan and taking off the encryption
openssl rsa -in root_ca.key_encr -out root_ca.key
openssl rsa -in fw1_ike.key_encr -out fw1_ike.key
openssl rsa -in fw2_ike.key_encr -out fw2_ike.key
  • Creating PKCS#12 archives
openssl pkcs12 -export -in fw1_ike.crt -inkey fw1_ike.key -certfile root_ca.crt -out fw1_ike.p12 -name fw1_ike
openssl pkcs12 -export -in fw2_ike.crt -inkey fw2_ike.key -certfile root_ca.crt -out fw2_ike.p12 -name fw2_ike
  • Importing IKE authentication certificates into в NSS (details)
certutil -A -a -i /home/username/certs/root_ca.crt -d sql:/var/lib/ipsec/nss -n "RootCA" -t 'CT,,'
ipsec import /home/username/certs/fw1_ike.p12
ipsec import /home/username/certs/fw2_ike.p12
touch /etc/ipsec.d/fw1-fw2.conf
nano -w /etc/ipsec.d/fw1-fw2.conf
conn fw1-fw2
        # Peers
        left=PubIP2
        right=PubIP1
        # Phase 1 Settings
        keyexchange=ike
        ikev2=insist
        ike=aes256-sha256;dh21
        ikelifetime=24h
        dpddelay=8s
        dpdtimeout=32s
        dpdaction=clear
        fragmentation=yes
        # IKEv2 Auth
        authby=rsasig
        leftcert=fw2_ike
        leftid=%fromcert
        leftsendcert=always
        leftrsasigkey=%cert
        rightcert=fw1_ike
        rightid=%fromcert
        rightca=%same
        rightrsasigkey=%cert
        # Phase 2 Settings
        type=tunnel
        phase2=esp
        phase2alg=aes256-sha256;dh21
        salifetime=12h
        rekey=yes
        pfs=yes
        # SAs
        leftsourceip=PubIP2
        leftprotoport=gre
        rightsourceip=PubIP1
        rightprotoport=gre
        # Auto Start During Bootup
        auto=start
  • Defining the interface to listen on
nano -w /etc/ipsec.conf
listen=PubIP2
  • Restarting the service
systemctl restart ipsec
systemctl status ipsec
  • Defining filtering rules 
nano -w /etc/iptables/rc.firewall
# IPSec
$ipt -A INPUT -i $iface -p udp -m state --state NEW -s $remote_peer --dport 500 -j ACCEPT
$ipt -A OUTPUT -o $iface -p udp -m state --state NEW -d $remote_peer --dport 500 -j ACCEPT
$ipt -A INPUT -i $iface -p 50 -m state --state NEW -s $remote_peer -j ACCEPT
$ipt -A OUTPUT -o $iface -p 50 -m state --state NEW -d $remote_peer -j ACCEPT
  • Checking
/etc/iptables/rc.firewall
iptables -nvL


Back to top