A virtual private network (VPN) is a way of connecting to a local network over the internet. IPsec
provided by Libreswan
is the preferred method for creating a VPN. Libreswan
is a user-space IPsec
implementation for VPN. A VPN enables the communication between your LAN, and another, remote LAN by setting up a tunnel across an intermediate network such as the internet. For security reasons, a VPN tunnel always uses authentication and encryption. For cryptographic operations, Libreswan
uses the NSS
library.
7.1.Configuring a VPN connection with control-center
If you use RedHat EnterpriseLinux with a graphical interface, you can configure a VPN connection in the GNOME control-center
.
Prerequisites
- The
NetworkManager-libreswan-gnome
package is installed.
Procedure
- Press the Super key, type
Settings
, and press Enter to open thecontrol-center
application. - Select the
Network
entry on the left. - Click the + icon.
- Select
VPN
. Select the
Identity
menu entry to see the basic configuration options:General
Gateway
— The name orIP
address of the remote VPN gateway.Authentication
Type
IKEv2 (Certificate)
- client is authenticated by certificate. It is more secure (default).IKEv1 (XAUTH)
- client is authenticated by user name and password, or a pre-shared key (PSK).The following configuration settings are available under the
Advanced
section:Figure7.1.Advanced options of a VPN connection
Warning
When configuring an IPsec-based VPN connection using the
gnome-control-center
application, theAdvanced
dialog displays the configuration, but it does not allow any changes. As a consequence, users cannot change any advanced IPsec options. Use thenm-connection-editor
ornmcli
tools instead to perform configuration of the advanced properties.Identification
Domain
— If required, enter the Domain Name.Security
Phase1 Algorithms
— corresponds to theike
Libreswan parameter — enter the algorithms to be used to authenticate and set up an encrypted channel.Phase2 Algorithms
— corresponds to theesp
Libreswan parameter — enter the algorithms to be used for theIPsec
negotiations.Check the
Disable PFS
field to turn off Perfect Forward Secrecy (PFS) to ensure compatibility with old servers that do not support PFS.Phase1 Lifetime
— corresponds to theikelifetime
Libreswan parameter — how long the key used to encrypt the traffic will be valid.Phase2 Lifetime
— corresponds to thesalifetime
Libreswan parameter — how long a particular instance of a connection should last before expiring.Note that the encryption key should be changed from time to time for security reasons.
Remote network
— corresponds to therightsubnet
Libreswan parameter — the destination private remote network that should be reached through the VPN.See Also8 Best VPN For LinuxHow To Make Your Own Vpn In Linux In 12 Steps8 Beste VPN voor Linux8 meilleurs VPN pour LinuxCheck the
narrowing
field to enable narrowing. Note that it is only effective in IKEv2 negotiation.Enable fragmentation
— corresponds to thefragmentation
Libreswan parameter — whether or not to allow IKE fragmentation. Valid values areyes
(default) orno
.Enable Mobike
— corresponds to themobike
Libreswan parameter — whether to allow Mobility and Multihoming Protocol (MOBIKE, RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless, or mobile data connections. The values areno
(default) oryes
.
Select the IPv4 menu entry:
IPv4 Method
Automatic (DHCP)
— Choose this option if the network you are connecting to uses aDHCP
server to assign dynamicIP
addresses.Link-Local Only
— Choose this option if the network you are connecting to does not have aDHCP
server and you do not want to assignIP
addresses manually. Random addresses will be assigned as per RFC 3927 with prefix169.254/16
.Manual
— Choose this option if you want to assignIP
addresses manually.Disable
—IPv4
is disabled for this connection.DNS
In the
DNS
section, whenAutomatic
isON
, switch it toOFF
to enter the IP address of a DNS server you want to use separating the IPs by comma.Routes
Note that in the
Routes
section, whenAutomatic
isON
, routes from DHCP are used, but you can also add additional static routes. WhenOFF
, only static routes are used.Address
— Enter theIP
address of a remote network or host.Netmask
— The netmask or prefix length of theIP
address entered above.Gateway
— TheIP
address of the gateway leading to the remote network or host entered above.Metric
— A network cost, a preference value to give to this route. Lower values will be preferred over higher values.Use this connection only for resources on its network
Select this check box to prevent the connection from becoming the default route. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually is routed over the connection.
To configure
IPv6
settings in aVPN
connection, select the IPv6 menu entry:IPv6 Method
Automatic
— Choose this option to useIPv6
Stateless Address AutoConfiguration (SLAAC) to create an automatic, stateless configuration based on the hardware address and Router Advertisem*nts (RA).Automatic, DHCP only
— Choose this option to not use RA, but request information fromDHCPv6
directly to create a stateful configuration.Link-Local Only
— Choose this option if the network you are connecting to does not have aDHCP
server and you do not want to assignIP
addresses manually. Random addresses will be assigned as per RFC 4862 with prefixFE80::0
.Manual
— Choose this option if you want to assignIP
addresses manually.Disable
—IPv6
is disabled for this connection.Note that
DNS
,Routes
,Use this connection only for resources on its network
are common toIPv4
settings.
- Once you have finished editing the
VPN
connection, click the Add button to customize the configuration or the Apply button to save it for the existing one. - Switch the profile to
ON
to active theVPN
connection.
Additional resources
nm-settings-libreswan(5)
7.2.Configuring a VPN connection using nm-connection-editor
If you use RedHat EnterpriseLinux with a graphical interface, you can configure a VPN connection in the nm-connection-editor
application.
Prerequisites
- The
NetworkManager-libreswan-gnome
package is installed. If you configure an Internet Key Exchange version 2 (IKEv2) connection:
- The certificate is imported into the IPsec network security services (NSS) database.
- The nickname of the certificate in the NSS database is known.
Procedure
Open a terminal, and enter:
$ nm-connection-editor
- Click the + button to add a new connection.
- Select the
IPsec based VPN
connection type, and click Create. On the
VPN
tab:Enter the host name or IP address of the VPN gateway into the
Gateway
field, and select an authentication type. Based on the authentication type, you must enter different additional information:IKEv2 (Certifiate)
authenticates the client by using a certificate, which is more secure. This setting requires the nickname of the certificate in the IPsec NSS databaseIKEv1 (XAUTH)
authenticates the user by using a user name and password (pre-shared key). This setting requires that you enter the following values:- User name
- Password
- Group name
- Secret
If the remote server specifies a local identifier for the IKE exchange, enter the exact string in the
Remote ID
field. In the remote server runs Libreswan, this value is set in the server’sleftid
parameter.Optionally, configure additional settings by clicking the Advanced button. You can configure the following settings:
Identification
Domain
— If required, enter the domain name.
Security
Phase1 Algorithms
corresponds to theike
Libreswan parameter. Enter the algorithms to be used to authenticate and set up an encrypted channel.Phase2 Algorithms
corresponds to theesp
Libreswan parameter. Enter the algorithms to be used for theIPsec
negotiations.Check the
Disable PFS
field to turn off Perfect Forward Secrecy (PFS) to ensure compatibility with old servers that do not support PFS.Phase1 Lifetime
corresponds to theikelifetime
Libreswan parameter. This parameter defines how long the key used to encrypt the traffic is valid.Phase2 Lifetime
corresponds to thesalifetime
Libreswan parameter. This parameter defines how long a security association is valid.
Connectivity
Remote network
corresponds to therightsubnet
Libreswan parameter and defines the destination private remote network that should be reached through the VPN.Check the
narrowing
field to enable narrowing. Note that it is only effective in the IKEv2 negotiation.Enable fragmentation
corresponds to thefragmentation
Libreswan parameter and defines whether or not to allow IKE fragmentation. Valid values areyes
(default) orno
.Enable Mobike
corresponds to themobike
Libreswan parameter. The parameter defines whether to allow Mobility and Multihoming Protocol (MOBIKE) (RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless or mobile data connections. The values areno
(default) oryes
.
On the
IPv4 Settings
tab, select the IP assignment method and, optionally, set additional static addresses, DNS servers, search domains, and routes.- Save the connection.
- Close
nm-connection-editor
.
Note
When you add a new connection by clicking the + button, NetworkManager creates a new configuration file for that connection and then opens the same dialog that is used for editing an existing connection. The difference between these dialogs is that an existing connection profile has a Details menu entry.
Additional resources
nm-settings-libreswan(5)
man page
7.3.Configuring automatic detection and usage of ESP hardware offload to accelerate an IPsec connection
Offloading Encapsulating Security Payload (ESP) to the hardware accelerates IPsec connections over Ethernet. By default, Libreswan detects if hardware supports this feature and, as a result, enables ESP hardware offload. In case that the feature was disabled or explicitly enabled, you can switch back to automatic detection.
Prerequisites
- The network card supports ESP hardware offload.
- The network driver supports ESP hardware offload.
- The IPsec connection is configured and works.
Procedure
- Edit the Libreswan configuration file in the
/etc/ipsec.d/
directory of the connection that should use automatic detection of ESP hardware offload support. - Ensure the
nic-offload
parameter is not set in the connection’s settings. If you removed
nic-offload
, restart theipsec
service:# systemctl restart ipsec
Verification
If the network card supports ESP hardware offload support, following these steps to verify the result:
Display the
tx_ipsec
andrx_ipsec
counters of the Ethernet device the IPsec connection uses:# ethtool -S enp1s0 | egrep "_ipsec" tx_ipsec: 10 rx_ipsec: 10
Send traffic through the IPsec tunnel. For example, ping a remote IP address:
# ping -c 5 remote_ip_address
Display the
tx_ipsec
andrx_ipsec
counters of the Ethernet device again:# ethtool -S enp1s0 | egrep "_ipsec" tx_ipsec: 15 rx_ipsec: 15
If the counter values have increased, ESP hardware offload works.
Additional resources
- Configuring a VPN with IPsec
7.4.Configuring ESP hardware offload on a bond to accelerate an IPsec connection
Offloading Encapsulating Security Payload (ESP) to the hardware accelerates IPsec connections. If you use a network bond for fail-over reasons, the requirements and the procedure to configure ESP hardware offload are different from those using a regular Ethernet device. For example, in this scenario, you enable the offload support on the bond, and the kernel applies the settings to the ports of the bond.
Prerequisites
- All network cards in the bond support ESP hardware offload.
- The network driver supports ESP hardware offload on a bond device. In RHEL, only the
ixgbe
driver supports this feature. - The bond is configured and works.
- The bond uses the
active-backup
mode. The bonding driver does not support any other modes for this feature. - The IPsec connection is configured and works.
Procedure
Enable ESP hardware offload support on the network bond:
# nmcli connection modify bond0 ethtool.feature-esp-hw-offload on
This command enables ESP hardware offload support on the
bond0
connection.Reactivate the
bond0
connection:# nmcli connection up bond0
Edit the Libreswan configuration file in the
/etc/ipsec.d/
directory of the connection that should use ESP hardware offload, and append thenic-offload=yes
statement to the connection entry:conn example ... nic-offload=yes
Restart the
ipsec
service:# systemctl restart ipsec
Verification
Display the active port of the bond:
# grep "Currently Active Slave" /proc/net/bonding/bond0Currently Active Slave: enp1s0
Display the
tx_ipsec
andrx_ipsec
counters of the active port:# ethtool -S enp1s0 | egrep "_ipsec" tx_ipsec: 10 rx_ipsec: 10
Send traffic through the IPsec tunnel. For example, ping a remote IP address:
# ping -c 5 remote_ip_address
Display the
tx_ipsec
andrx_ipsec
counters of the active port again:# ethtool -S enp1s0 | egrep "_ipsec" tx_ipsec: 15 rx_ipsec: 15
If the counter values have increased, ESP hardware offload works.
Additional resources
- Configuring network bonding
- Configuring a VPN with IPsec section in the Securing networks document