6.3. Manually configuring an IPsec host-to-host VPN with raw RSA key authentication

Procedure

1. If Libreswan is not yet installed, perform the following steps:

   1. Install the libreswan package:

      # dnf install libreswan

   2. Initialize the Network Security Services (NSS) database:

      # ipsec initnss

      The command creates the database in the /var/lib/ipsec/nss/ directory.

   3. Enable and start the ipsec service:

      # systemctl enable --now ipsec

   4. Open the IPsec ports and protocols in the firewall:

      # firewall-cmd --permanent --add-service="ipsec"
      # firewall-cmd --reload

2. Create an RSA key pair:

   # ipsec newhostkey

   The ipsec utility stores the key pair in the NSS database.

3. Designate your peers. In an IPsec tunnel, you must designate one host as left and the other as right. This is an arbitrary choice. A common practice is to call your local host left and the remote host right.

4. Display the Certificate Key Attribute ID (CKAID) on both the left and right peer:

   # ipsec showhostkey --list
   < 1> RSA keyid: <key_id> ckaid: <ckaid>

   You require the CKAIDs of both peers in the next steps.

5. Display the public keys:

   1. On the left peer, enter:

      # ipsec showhostkey --left --ckaid <ckaid_of_left_peer>
      	# rsakey AwEAAdKCx
      	leftrsasigkey=0sAwEAAdKCxpc9db48cehzQiQD...

   2. On the right peer, enter:

      # ipsec showhostkey --right --ckaid <ckaid_of_right_peer>
      	# rsakey AwEAAcNWC
      	rightrsasigkey=0sAwEAAcNWCzZO+PR1j8WbO8X...

   The commands display the public keys with the corresponding parameters that you must use in the configuration file.

6. Create a .conf file for the connection in the /etc/ipsec.d/ directory. For example, create the /etc/ipsec.d/host-to-host.conf file with the following settings:

   conn <connection_name>
       # General setup and authentication type
       auto=start
       authby=rsasig
   
       # Peer A
       left=<ip_address_or_fqdn_of_left_peer>
       leftid=@peer_a
       leftrsasigkey=<public_key_of_left_peer>
   
       # Peer B
       right=<ip_address_or_fqdn_of_right_peer>
       rightid=@peer_b
       rightrsasigkey=<public_key_of_right_peer>

   注記

   You can use the same configuration file on both hosts, and Libreswan identifies whether it is operating on the left or right host by using internal information. However, it is important that all values in left* parameters belong to one peer and the values in right* parameters belong to the other.

   The settings specified in the example include the following:

   conn <connection_name>

   Defines the connection name. The name is arbitrary, and Libreswan uses it to identify the connection. You must indent parameters in this connection by at least one space or tab.

   auto=<type>

   Controls how the connection is initiated. If you set the value to start, Libreswan activates the connection automatically when the service starts.

   authby=rsasig

   Enables RSA signature authentication for this connection.

   left=<ip_address_or_fqdn_of_left_peer> and right=<ip_address_or_fqdn_of_right_peer>

   Defines the IP address or DNS name of the peers.

   leftid=<id> and rightid=<id>

   Defines how each peer is identified during the Internet Key Exchange (IKE) negotiation process. This can be a fully-qualified domain name (FQDN), an IP address, or a literal string. In the latter case, precede the string with an @ sign.

   leftrsasigkey=<public_key> and rightrsasigkey=<public_key>

   Specifies the public key of the peers. Use the values displayed by the ipsec showhostkey command in a previous step.

7. Restart the ipsec service:

   # systemctl restart ipsec

   If you use auto=start in the configuration file, the connection is automatically activated. With other methods, additional steps are required to activate the connection. For details, see the ipsec.conf(5) man page on your system.