Sample File
On the first server in DC1, this file looks line this and its file name is given as dc1_to_dc2.conf which mean it enables ipsec between dc1 and dc2:
dc1_to_dc2.conf:
conn dc1-dc2
left=192.168.1.91
leftsubnet=192.168.1.0/22
leftid=@dc1.mydomain.com
leftrsasigkey=<later>
right=97.111.201.5
rightid=@dc2.mydomain.com
rightsubnet=192.168.100.0/22
rightrsasigkey=<later>
auto=start |
Left and Right Designations
The term left refers to the local server (e.g. L) and the right refers to the remote server (e.g. R) from where we are writing the configuration file.
- conn dc1-dc2 - the name of the connection.
For Left which is Local we have
- left - the ip of the local ipsec server where the service is running (e.g left=192.168.1.91)
- leftsubnet - the subnet mask of the local ipsec server 192.168.1.0.22)
- leftid - the local domain designation. (e.g. @dc1.freightgate.com)
- leftrsasigkey - the local public ket generate from the private key (e.g. ipsec.secrets).
For Right which is Remote we have
- right - the ip of the public address for the ipsec server where the service is running (e.g left=66.161.122.6)
- rightsubnet - the local subnet mask of ipsec server (e.g. 192.168.100.0.22). In this case this is a total different subnet mask than the public address.
- rightid - the public domain designation. (e.g. @idc.freightgate.com)
- rightrsasigkey - the local public ket generate from the private key (e.g. ipsec.secrets).
ipsec.d Directory
The ipsec.d directory looks like this:
[root@ipsec104v ipsec.d]# pwd
/etc/ipsec.d
[root@ipsec104v ipsec.d]# ls
cert9.db fvc_to_irv.conf ipsec.secrets key4.db pkcs11.txt policie |
Lets clear this directory so it only contains:
[root@ipsec104v ipsec.d]# ls
policies SAVE
[root@ipsec104v ipsec.d]# |
Create Database
To create a new database and files in this directory ipsec.d, use the command ipsec initnss. This will create all these files or append to the existing file, except for the ipsec.secrets file.
[root@ipsec104v ipsec.d]# ipsec initnss
Initializing NSS database
[root@ipsec104v ipsec.d]# ls
cert9.db key4.db pkcs11.txt policies SAVE |
Create Private Key (ipsec.secrets)
To create the ipsec.secrets file use the command ipsec newhostkey specifying the key name and location
[root@ipsec104v ipsec.d]# ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/ipsec.secrets
Generated RSA key pair with CKAID 4de5365bfc5645777a24f9846235e734e6f123d6 was stored in the NSS database
[root@ipsec104v ipsec.d]# |
Once the ipsec.secrets is create, we can list the private key with ipsec showhostkey --list.
=== Show Private Key ===
[root@ipsec104v ipsec.d]# ipsec showhostkey --list
< 1> RSA keyid: AwEAAbAqr ckaid: 4de5365bfc5645777a24f9846235e734e6f123d6
[root@ipsec104v ipsec.d]# |
Display Public Keys
To show the public key you use again ipsec showhostkey, but using the input of the private key and using a parameter of either left or right. To display the left and right public key for this local server use 'ipsec showhostkey --left --ckaid' with the private key entry displayed about. Use the same paramerter to display the --right key.
[root@ipsec104v ipsec.d]# ipsec showhostkey --left --ckaid 4de5365bfc5645777a24f9846235e734e6f123d6
# rsakey AwEAAbAqr
leftrsasigkey=0sAwEAAbAqrcK4ATXXhutVwfdlH247MgyOk//cn49wMu0qzaPPar+s6gB/vJWaKdGpLhz+rmCBgCnJv9bLdaiUBge
6bgqsClISZ0gRWcW1nGFOayjnKthL+qcPeD6Xc1+tLeEI3V6CcKH/Pl2ldovDW2UvUUFYo5AaEnYB2uk+ohcR2/nYc9jRMbY1M9iurCoBFM
CP0M4WydoRDoHeCe6pMfInB23HSK0EXDHz7o9Tw8OzjK0fGOoddllr/UR0f0y8h7wVQIh6hsfIiDXkzMnpvSUg540RVSqBu4AurKVZoTLxQ
4hLEX50XmJhTK1qfAEoijwbblCIuttw1KhWl70ebD4kFSDS3s/n5QZyKc2Ku+9qrILn4UKvVjxZw8TWSNFhtp5BTnLivG/xKHbZo1Jh/BYW
Bahj9uUn5IYcq9mq/+/abQ6LE5JC3JuL0+m3TA8X/rlmHW2ETfJ8qicghM8PQRIu/ZUO1ECu1wwCYHh5IKxigH6QVa1ztYqsSlzxhfXOixN
ZgnrxdF1so3V1iNBoL+QyoeFWTFt/
[root@ipsec104v ipsec.d]# ipsec showhostkey --right --ckaid 4de5365bfc5645777a24f9846235e734e6f123d6
# rsakey AwEAAbAqr
rightrsasigkey=0sAwEAAbAqrcK4ATXXhutVwfdlH247MgyOk//cn49wMu0qzaPPar+s6gB/vJWaKdGpLhz+rmCBgCnJv9bLdaiUBge
6bgqsClISZ0gRWcW1nGFOayjnKthL+qcPeD6Xc1+tLeEI3V6CcKH/Pl2ldovDW2UvUUFYo5AaEnYB2uk+ohcR2/nYc9jRMbY1M9iurCoBFMC
P0M4WydoRDoHeCe6pMfInB23HSK0EXDHz7o9Tw8OzjK0fGOoddllr/UR0f0y8h7wVQIh6hsfIiDXkzMnpvSUg540RVSqBu4AurKVZoTLxQ4h
LEX50XmJhTK1qfAEoijwbblCIuttw1KhWl70ebD4kFSDS3s/n5QZyKc2Ku+9qrILn4UKvVjxZw8TWSNFhtp5BTnLivG/xKHbZo1Jh/BYWBah
j9uUn5IYcq9mq/+/abQ6LE5JC3JuL0+m3TA8X/rlmHW2ETfJ8qicghM8PQRIu/ZUO1ECu1wwCYHh5IKxigH6QVa1ztYqsSlzxhfXOixNZgnr
xdF1so3V1iNBoL+QyoeFWTFt/
[root@ipsec104v ipsec.d]#
# |
Note : Both left and right are exactly the same. This is fine, what it means is the public for this server is this whether it is used locally or remotely. That is why is it important to under stand the left and right change valves depending on which server you are accessing.
IPSEC_DC1 (Local) Left Key Setup
From the above we modify the .conf file and revise only the left key
dc1_to_dc2.conf:
conn dc1-dc2
left=192.168.1.91
leftsubnet=192.168.1.0/22
leftid=@dc1.freightgate.com
leftrsasigkey=0sAwEAAbAqrcK4ATXXhutVwfdlH247MgyOk//cn49wMu0qzaPPar+s6gB/vJWaKdGpLhz+rmCBgCnJv9bLdaiUBge
6bgqsClISZ0gRWcW1nGFOayjnKthL+qcPeD6Xc1+tLeEI3V6CcKH/Pl2ldovDW2UvUUFYo5AaEnYB2uk+ohcR2/nYc9jRMbY1M9iurCoBFM
CP0M4WydoRDoHeCe6pMfInB23HSK0EXDHz7o9Tw8OzjK0fGOoddllr/UR0f0y8h7wVQIh6hsfIiDXkzMnpvSUg540RVSqBu4AurKVZoTLxQ
4hLEX50XmJhTK1qfAEoijwbblCIuttw1KhWl70ebD4kFSDS3s/n5QZyKc2Ku+9qrILn4UKvVjxZw8TWSNFhtp5BTnLivG/xKHbZo1Jh/BYW
Bahj9uUn5IYcq9mq/+/abQ6LE5JC3JuL0+m3TA8X/rlmHW2ETfJ8qicghM8PQRIu/ZUO1ECu1wwCYHh5IKxigH6QVa1ztYqsSlzxhfXOixN
ZgnrxdF1so3V1iNBoL+QyoeFWTFt/
right=97.111.201.5
rightid=@dc2.freightgate.com
rightsubnet=192.168.100.0/22
rightrsasigkey=
auto=start |
Note the the right public key will need to be generate on the remote IPSC server (IPSEC_DC2).
IPSEC_DC2 (Remote) Configuration
On the other ipsec server ipsec_dc2, its configuration file is called dc2_dc1
dc2_to_dc1.conf:
conn dc2-dc1
left=192.168.101.91
leftsubnet=192.168.1.0/22
leftid=@dc2.mydomain.com
leftrsasigkey=<later>
right=97.111.201.5
rightid=@dc2.mydomain.com
rightsubnet=192.168.100.0/22
rightrsasigkey=<later>
auto=start |
Repeat the process to create the left and right keys
[root@ipsec004v ipsec.d]# ls
irv_to_fvc.conf policies
[root@ipsec004v ipsec.d]# ipsec initnss
Initializing NSS database
[root@ipsec004v ipsec.d]# ls
cert9.db irv_to_fvc.conf key4.db pkcs11.txt policies
[root@ipsec004v ipsec.d]# ipsec showhostkey --list
[root@ipsec004v ipsec.d]# ipsec newhostkey --nssdir /etc/ipsec.d --output /etc/ipsec.d/ipsec.secrets
Generated RSA key pair with CKAID 105866fba27a1da34118c8084712cc2e8cce1600 was stored in the NSS database
[root@ipsec004v ipsec.d]# ls
cert9.db ipsec.secrets irv_to_fvc.conf key4.db pkcs11.txt policies
[root@ipsec004v ipsec.d]# ipsec showhostkey --list
< 1> RSA keyid: AwEAAaaUK ckaid: 105866fba27a1da34118c8084712cc2e8cce1600
[root@ipsec004v ipsec.d]# ipsec showhostkey --left --ckaid 105866fba27a1da34118c8084712cc2e8cce1600
# rsakey AwEAAaaUK
leftrsasigkey=0sAwEAAaaUK/iR1J+Li/xCpIjSj84v7eQRoiehbSPZ5e5lh/f6Y6BV2lgvztEcEPMjuaXrysEXej45j5CDd+bypcV
Ne+Z5IxX7n6v/jZBTCOsiXrGLjAxB0Ee0Q5zhg2N3by58mklMcCbNy/LNS2i+p1/qwkAzIl+ZCCKJ/K0DV4U8kQDYYIqZPTgvpOeCg8
xZdsYj7NMn01FfH5pYYWZmehdueqVxtQ34msS0HQ9J0FHyYJcEQKQMmetUxjQecnX7I8CC4wrFyH2xwevgG4MjkiU6+yS6v1wqB78Eu
1pcINmUgrPgmxYdB8v0+guJ/fFXXazGPOIsEXvbUv1wcDfoUshKhO480VBmT4567blNpvkXr78t94gyP1JS2C5nTB50kOeuWpJE140Z
9kp2xsNGoQfrS4DqOyC2xQh5NPHH1cpb1yE2dU/B1+vEgjoGh9USFLe9+PJFzxpGdc9ixrYyVDgbrFSc+IxsER0rshc0aqeIj1sY3De
cpmQgozpgng4D1f24D8JSydOCKtYiAGnRqFq7lazE4p6ZcQDgHCoKJ3TiBWyNUZHpjsBh5m9xXV3Z710yjtP0UwNDXoL1GjyrQbjJH6
wCK6SfKY5D+Q==
[root@ipsec004v ipsec.d]# ipsec showhostkey --right --ckaid 105866fba27a1da34118c8084712cc2e8cce1600
# rsakey AwEAAaaUK
rightrsasigkey=0sAwEAAaaUK/iR1J+Li/xCpIjSj84v7eQRoiehbSPZ5e5lh/f6Y6BV2lgvztEcEPMjuaXrysEXej45j5CDd+bypc
VNe+Z5IxX7n6v/jZBTCOsiXrGLjAxB0Ee0Q5zhg2N3by58mklMcCbNy/LNS2i+p1/qwkAzIl+ZCCKJ/K0DV4U8kQDYYIqZPTgvpOeCg
8xZdsYj7NMn01FfH5pYYWZmehdueqVxtQ34msS0HQ9J0FHyYJcEQKQMmetUxjQecnX7I8CC4wrFyH2xwevgG4MjkiU6+yS6v1wqB78E
u1pcINmUgrPgmxYdB8v0+guJ/fFXXazGPOIsEXvbUv1wcDfoUshKhO480VBmT4567blNpvkXr78t94gyP1JS2C5nTB50kOeuWpJE140
Z9kp2xsNGoQfrS4DqOyC2xQh5NPHH1cpb1yE2dU/B1+vEgjoGh9USFLe9+PJFzxpGdc9ixrYyVDgbrFSc+IxsER0rshc0aqeIj1sY3D
ecpmQgozpgng4D1f24D8JSydOCKtYiAGnRqFq7lazE4p6ZcQDgHCoKJ3TiBWyNUZHpjsBh5m9xXV3Z710yjtP0UwNDXoL1GjyrQbjJH
6wCK6SfKY5D+Q==
[root@ipsec004v ipsec.d]#
|
We add the local key created on this server as its left key.
dc2_to_dc1.conf:
conn dc2-dc1
left=192.168.101.91
leftsubnet=192.168.1.0/22
leftid=@dc2.mydomain.com
leftrsasigkey=0sAwEAAaaUK/iR1J+Li/xCpIjSj84v7eQRoiehbSPZ5e5lh/f6Y6BV2lgvztEcEPM
juaXrysEXej45j5CDd+bypcVNe+Z5IxX7n6v/jZBTCOsiXrGLjAxB0Ee0Q5zhg2N3by58mklMcCbNy/LNS2i+p1
/qwkAzIl+ZCCKJ/K0DV4U8kQDYYIqZPTgvpOeCg8xZdsYj7NMn01FfH5pYYWZmehdueqVxtQ34msS0HQ9J0FHyY
JcEQKQMmetUxjQecnX7I8CC4wrFyH2xwevgG4MjkiU6+yS6v1wqB78Eu1pcINmUgrPgmxYdB8v0+guJ/fFXXazG
POIsEXvbUv1wcDfoUshKhO480VBmT4567blNpvkXr78t94gyP1JS2C5nTB50kOeuWpJE140Z9kp2xsNGoQfrS4D
qOyC2xQh5NPHH1cpb1yE2dU/B1+vEgjoGh9USFLe9+PJFzxpGdc9ixrYyVDgbrFSc+IxsER0rshc0aqeIj1sY3D
ecpmQgozpgng4D1f24D8JSydOCKtYiAGnRqFq7lazE4p6ZcQDgHCoKJ3TiBWyNUZHpjsBh5m9xXV3Z710yjtP0U
wNDXoL1GjyrQbjJH6wCK6SfKY5D+Q==
right=97.111.201.5
rightid=@dc2.mydomain.com
rightsubnet=192.168.100.0/22
rightrsasigkey=<later>
auto=start |
Complete Configuration
Now we add the right key to each local system that was generated on the remote host.
In other works public key from ipsec104v is assigned to the rightrsasigkey on up ipsec004v and the publicly on ipsec004v is assigned the rightrsasigkey on ipsec104v. This is the results
IPSEC_DC2 (dc2_to_dc1.conf)
dc2_to_dc1.conf:
conn dc2-dc1
left=192.168.101.91
leftsubnet=192.168.1.0/22
leftid=@dc2.mydomain.com
leftrsasigkey=0sAwEAAaaUK/iR1J+Li/xCpIjSj84v7eQRoiehbSPZ5e5lh/f6Y6BV2lgvztEcEPM
juaXrysEXej45j5CDd+bypcVNe+Z5IxX7n6v/jZBTCOsiXrGLjAxB0Ee0Q5zhg2N3by58mklMcCbNy/LNS2i+p1
/qwkAzIl+ZCCKJ/K0DV4U8kQDYYIqZPTgvpOeCg8xZdsYj7NMn01FfH5pYYWZmehdueqVxtQ34msS0HQ9J0FHyY
JcEQKQMmetUxjQecnX7I8CC4wrFyH2xwevgG4MjkiU6+yS6v1wqB78Eu1pcINmUgrPgmxYdB8v0+guJ/fFXXazG
POIsEXvbUv1wcDfoUshKhO480VBmT4567blNpvkXr78t94gyP1JS2C5nTB50kOeuWpJE140Z9kp2xsNGoQfrS4D
qOyC2xQh5NPHH1cpb1yE2dU/B1+vEgjoGh9USFLe9+PJFzxpGdc9ixrYyVDgbrFSc+IxsER0rshc0aqeIj1sY3D
ecpmQgozpgng4D1f24D8JSydOCKtYiAGnRqFq7lazE4p6ZcQDgHCoKJ3TiBWyNUZHpjsBh5m9xXV3Z710yjtP0U
wNDXoL1GjyrQbjJH6wCK6SfKY5D+Q==
right=97.111.201.5
rightid=@dc2.mydomain.com
rightsubnet=192.168.100.0/22
rightrsasigkey=0sAwEAAbAqrcK4ATXXhutVwfdlH247MgyOk//cn49wMu0qzaPPar+s6gB/vJWaKdGpLhz+rmCBgCnJv9bLdaiUBge
6bgqsClISZ0gRWcW1nGFOayjnKthL+qcPeD6Xc1+tLeEI3V6CcKH/Pl2ldovDW2UvUUFYo5AaEnYB2uk+ohcR2/nYc9jRMbY1M9iurCoBFM
CP0M4WydoRDoHeCe6pMfInB23HSK0EXDHz7o9Tw8OzjK0fGOoddllr/UR0f0y8h7wVQIh6hsfIiDXkzMnpvSUg540RVSqBu4AurKVZoTLxQ
4hLEX50XmJhTK1qfAEoijwbblCIuttw1KhWl70ebD4kFSDS3s/n5QZyKc2Ku+9qrILn4UKvVjxZw8TWSNFhtp5BTnLivG/xKHbZo1Jh/BYW
Bahj9uUn5IYcq9mq/+/abQ6LE5JC3JuL0+m3TA8X/rlmHW2ETfJ8qicghM8PQRIu/ZUO1ECu1wwCYHh5IKxigH6QVa1ztYqsSlzxhfXOixN
ZgnrxdF1so3V1iNBoL+QyoeFWTFt/
auto=start |
IPSEC_DEC1 (dc1_to_dc2.conf)
dc1_to_dc2.conf:
conn dc1-dc2
left=192.168.1.91
leftsubnet=192.168.1.0/22
leftid=@dc1.freightgate.com
leftrsasigkey=0sAwEAAbAqrcK4ATXXhutVwfdlH247MgyOk//cn49wMu0qzaPPar+s6gB/vJWaKdGpLhz+rmCBgCnJv9bLdaiUBge
6bgqsClISZ0gRWcW1nGFOayjnKthL+qcPeD6Xc1+tLeEI3V6CcKH/Pl2ldovDW2UvUUFYo5AaEnYB2uk+ohcR2/nYc9jRMbY1M9iurCoBFM
CP0M4WydoRDoHeCe6pMfInB23HSK0EXDHz7o9Tw8OzjK0fGOoddllr/UR0f0y8h7wVQIh6hsfIiDXkzMnpvSUg540RVSqBu4AurKVZoTLxQ
4hLEX50XmJhTK1qfAEoijwbblCIuttw1KhWl70ebD4kFSDS3s/n5QZyKc2Ku+9qrILn4UKvVjxZw8TWSNFhtp5BTnLivG/xKHbZo1Jh/BYW
Bahj9uUn5IYcq9mq/+/abQ6LE5JC3JuL0+m3TA8X/rlmHW2ETfJ8qicghM8PQRIu/ZUO1ECu1wwCYHh5IKxigH6QVa1ztYqsSlzxhfXOixN
ZgnrxdF1so3V1iNBoL+QyoeFWTFt/
right=97.111.201.5
rightid=@dc2.freightgate.com
rightsubnet=192.168.100.0/22
rightrsasigkey=0sAwEAAaaUK/iR1J+Li/xCpIjSj84v7eQRoiehbSPZ5e5lh/f6Y6BV2lgvztEcEPM
juaXrysEXej45j5CDd+bypcVNe+Z5IxX7n6v/jZBTCOsiXrGLjAxB0Ee0Q5zhg2N3by58mklMcCbNy/LNS2i+p1
/qwkAzIl+ZCCKJ/K0DV4U8kQDYYIqZPTgvpOeCg8xZdsYj7NMn01FfH5pYYWZmehdueqVxtQ34msS0HQ9J0FHyY
JcEQKQMmetUxjQecnX7I8CC4wrFyH2xwevgG4MjkiU6+yS6v1wqB78Eu1pcINmUgrPgmxYdB8v0+guJ/fFXXazG
POIsEXvbUv1wcDfoUshKhO480VBmT4567blNpvkXr78t94gyP1JS2C5nTB50kOeuWpJE140Z9kp2xsNGoQfrS4D
qOyC2xQh5NPHH1cpb1yE2dU/B1+vEgjoGh9USFLe9+PJFzxpGdc9ixrYyVDgbrFSc+IxsER0rshc0aqeIj1sY3D
ecpmQgozpgng4D1f24D8JSydOCKtYiAGnRqFq7lazE4p6ZcQDgHCoKJ3TiBWyNUZHpjsBh5m9xXV3Z710yjtP0U
wNDXoL1GjyrQbjJH6wCK6SfKY5D+Q==
auto=start |
/etc/ipsec.conf File
This file looks like this
/etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=all
protostack=netkey
plutostderrlog=/var/log/pluto.log
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf |
The only parameters that were enable are:
- plutodebug=all
- protostack=netkey
- plutostderrlog=/var/log/pluto.log
Error Checking
Both ipsec status and systemctl status ipsec will generate information. But they generate difference output. ipsec status will tell you in clearer terms if the this an error in the keys.
ipsec status
systemctl status ipsec |
Click for more info
