2.7.2. VPN Configurations Using Libreswan
Libreswan does not use the terms “source” or “destination”. Instead, it uses the terms “left” and “right” to refer to end points (the hosts). This allows the same configuration to be used on both end points in most cases, although most administrators use “left” for the local host and “right” for the remote host.
There are three commonly used methods for authentication of endpoints:
- Raw RSA keys are commonly used for static host-to-host or subnet-to-subnet
IPsec
configurations. The hosts are manually configured with each other's public RSA key. This method does not scale well when dozens or more hosts all need to setupIPsec
tunnels to each other. - X.509 certificates are commonly used for large scale deployments where there are many hosts that need to connect to a common
IPsec
gateway. A central certificate authority (CA) is used to sign RSA certificates for hosts or users. This central CA is responsible for relaying trust, including the revocations of individual hosts or users. - Pre-Shared Keys (PSK) is the simplest authentication method. PSK's should consist of random characters and have a length of at least 20 characters. Due to the dangers of non-random and short PSKs, this is the least secure form of authentication and it is recommended to use either raw RSA keys or certificate based authentication instead.