Red Hat Summit6.5. Manually configuring an IPsec host-to-site VPN with certificate-based authentication
A host-to-site VPN establishes a secure, encrypted connection between an individual remote computer and a private network, allowing them to be seamlessly linked across an insecure public network, such as the internet.
A host-to-site VPN is ideal for remote employees who need to access resources on their company’s internal network from their computer as if they were physically in the office.
For authentication, using digital certificates managed by a Certificate Authority (CA) offers a highly secure and scalable solution. Each connecting host and the gateway presents a certificate signed by a trusted CA. This method provides strong, verifiable authentication and simplifies user management. Access can be granted or revoked centrally at the CA, and Libreswan enforces this by checking each certificate against a certificate revocation list (CRL), denying access if a certificate appears on the list.
6.5.1. Setting up an IPsec gateway manually
You must configure the Libreswan IPsec gateway properly to enable secure remote access. Libreswan reads the server certificate, private key, and CA certificate from a Network Security Services (NSS) database.
The following example permits authenticated clients to access the internal 192.0.2.0/24 subnet and dynamically assigns an IP address from a virtual IP pool to each client. To maintain security, the gateway verifies that client certificates are issued by the same trusted CA and automatically uses a certificate revocation list (CRL) to ensure access is denied for any revoked certificates.
Prerequisites
The Public Key Cryptography Standards #12 (PKCS #12) file
~/file.p12exists on the gateway with the following contents:- The private key of the server
- The server certificate
- The CA certificate
- If required, intermediate certificates
For details about creating a private key and certificate signing request (CSR), as well as about requesting a certificate from a CA, see your CA’s documentation.
The server certificate contains the following fields:
-
Extended Key Usage (EKU) is set to
TLS Web Server Authentication. - Common Name (CN) or Subject Alternative Name (SAN) is set to the fully-qualified domain name (FQDN) of the gateway.
- X509v3 CRL distribution points contain URLs to Certificate Revocation Lists (CRLs).
-
Extended Key Usage (EKU) is set to
- A return route for VPN client traffic is configured on the internal network, pointing to the VPN gateway.
Procedure
If Libreswan is not yet installed:
Install the
libreswanpackage:# dnf install libreswanInitialize the Network Security Services (NSS) database:
# ipsec initnssThe command creates the database in the
/var/lib/ipsec/nss/directory.Enable and start the
ipsecservice:# systemctl enable --now ipsecOpen the IPsec ports and protocols in the firewall:
# firewall-cmd --permanent --add-service="ipsec" # firewall-cmd --reload
Import the PKCS #12 file into the NSS database:
# ipsec import ~/file.p12 Enter password for PKCS12 file: <password> pk12util: PKCS12 IMPORT SUCCESSFUL correcting trust bits for Example-CADisplay the nicknames of the server and CA certificates:
# certutil -L -d /var/lib/ipsec/nss/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI vpn-gateway u,u,u Example-CA CT,, ...You need this information for the configuration file.
Create a
.conffile for the connection in the/etc/ipsec.d/directory. For example, create the/etc/ipsec.d/host-to-site.conffile with the following settings:Add a
config setupsection to enable CRL checks:config setup crl-strict=yes crlcheckinterval=1hThe settings specified in the example include the following:
crl-strict=yes- Enables CRL checks. Authenticating clients are rejected if no CRL is available in the NSS database.
crlcheckinterval=1h- Re-fetches the CRL from the URL specified in the server’s certificate after the specified period.
Add a section for the gateway:
conn <connection_name> # General setup and authentication type auto=start ikev2=insist authby=rsasig # VPN gateway settings left=%defaultroute leftid=%fromcert leftcert="<server_certificate_nickname>" leftrsasigkey=%cert leftsendcert=always leftsubnet=192.0.2.0/24 rekey=no mobike=yes narrowing=yes # Client-related settings right=%any rightid=%fromcert rightrsasigkey=%cert rightaddresspool=198.51.100.129-198.51.100.254 rightmodecfgclient=yes modecfgclient=yes modecfgdns=192.0.2.5 modecfgdomains="example.com" # Dead Peer Detection dpddelay=30 dpdtimeout=120 dpdaction=clearThe settings specified in the example include the following:
ikev2=insist- Defines the modern IKEv2 protocol as the only allowed protocol without fallback to IKEv1.
left=%defaultroute-
Dynamically sets the IP address of the default route interface when the
ipsecservice starts. Alternatively, you can set theleftparameter to the IP address or the FQDN of the host. leftid=%fromcertandrightid=%fromcert- Configures Libreswan to retrieve the identity from the distinguished name (DN) field of the certificate.
leftcert="<server_certificate_nickname>"- Sets the nickname of the server’s certificate used in the NSS database.
leftrsasigkey=%certandrightrsasigkey=%cert- Configures Libreswan to use the RSA public key embedded in the certificate.
leftsendcert=always- Instructs the gateway to always send the certificate, so that clients can validate it against the CA certificate.
leftsubnet=<subnets>- Specifies the subnets connected to the gateway that clients can access through the tunnel.
mobike=yes- Enables clients to seamlessly roam among networks.
rightaddresspool=<ip_range>- Specifies from which range the gateway can assign IP addresses to the clients.
modecfgclient=yes-
Enables clients to receive the DNS server IP set in the
modecfgdnsparameter and the DNS search domain set inmodecfgdomains.
For details about all parameters used in the example, see the
ipsec.conf(5)man page on your system.Enable packet forwarding:
# echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/95-IPv4-forwarding.conf # sysctl -p /etc/sysctl.d/95-IPv4-forwarding.confRestart the
ipsecservice:# systemctl restart ipsecIf you use
auto=startin the configuration file, the connection is automatically activated. With other methods, additional steps are required to activate the connection. For details, see theipsec.conf(5)man page on your system.
Verification
- Configure a client and connect to the VPN gateway.
Check if the service loaded the CRL and added the entries to the NSS database:
# ipsec listcrls List of CRLs: issuer: CN=Example-CA revoked certs: 1 updates: this Tue Jul 15 10:22:36 2025 next Sun Jan 11 10:22:36 2026 List of CRL fetch requests: Jul 15 15:13:56 2025, trials: 1 issuer: 'CN=Example-CA' distPts: 'https://ca.example.com/crl.pem'
Next steps
- Configure firewall rules to ensure that clients can only communicate with required resources. For details about firewalls, see Configuring firewalls and packet filters.
6.5.2. Configuring a client to connect to an IPsec VPN gateway by using GNOME Settings
To access resources on a remote private network, users must first configure an IPsec VPN connection. The GNOME Settings application provides a graphical solution to create an IPsec VPN connection profile in NetworkManager and to establish the tunnel.
Prerequisites
- You configured the IPsec VPN gateway.
-
The
NetworkManager-libreswan-gnomepackage is installed. The PKCS #12 file
~/file.p12exists on the client with the following contents:- The private key of the user
- The user certificate
- The CA certificate
- If required, intermediate certificates
For details about creating a private key and certificate signing request (CSR), as well as about requesting a certificate from a CA, see your CA’s documentation.
-
The Extended Key Usage (EKU) in the certificate is set to
TLS Web Client Authentication.
Procedure
Initialize the Network Security Services (NSS) database:
# ipsec initnssThe command creates the database in the
/var/lib/ipsec/nss/directory.Import the PKCS #12 file into the NSS database:
# ipsec import ~/file.p12 Enter password for PKCS12 file: <password> pk12util: PKCS12 IMPORT SUCCESSFUL correcting trust bits for Example-CADisplay the nicknames of the user and CA certificates:
# certutil -L -d /var/lib/ipsec/nss/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI user u,u,u Example-CA CT,, ...You require this information in the configuration file.
- Press the Super key, type Settings, and press Enter to open the GNOME Settings application.
- Click the button next to the VPN entry.
- Select IPsec based VPN from the list.
On the Identity tab, fill the fields as follows:
Expand 표 6.1. Identity tab settings Field name Value Corresponding ipsec.confparameterName
<networkmanager_profile_name>N/A
Gateway
<ip_address_or_fqdn_of_the_gateway>rightType
IKEv2 (certificate)authbyGroup name
%fromcertleftidCertificate name
<user_certificate_nickname>leftcertRemote ID
%fromcertrightid- Click Advanced.
In the Advanced properties window, fill the fields of the Connectivity tab as follows:
Expand 표 6.2. Connectivity tab settings Field name Value Corresponding ipsec.confparameterRemote Network
192.0.2.0/24rightsubnetNarrowing
Selected
narrowingEnable MOBIKE
yesmobikeDelay
30dpddelayTimeout
120dpdtimeoutAction
Cleardpdaction- Click to return to the connection settings.
- Click to save the connection.
- In the Network tab of the Settings application, toggle the switch next to the VPN profile to activate the connection.
Verification
- Establish a connection to a host in the remote network or ping it.
Next steps
- If you use this host in a network with DHCP or Stateless Address Autoconfiguration (SLAAC), the connection can be vulnerable to being redirected. For details and mitigation steps, see Assigning a VPN connection to a dedicated routing table to prevent the connection from bypassing the tunnel.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}