IPsec (Internet Protocol Security) is a suite of protocols designed to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet in a communication session. One of the core components of setting up an IPsec VPN on Linux-based systems is configuring the ipsec.conf file. This file contains various settings that define the parameters for secure communication over the VPN.
In this article, we’ll dive into the specifics of configuring ipsec.conf to establish a secure IPsec VPN. The configuration includes defining security policies, setting up IP addresses, and specifying encryption protocols, among other technical details.
Understanding the ipsec.conf Syntax
The ipsec.conf file uses a specific syntax for defining various configurations, such as connections, encryption methods, and keys. It consists of several sections:
1. **config setup**: General configuration options for IPsec.
2. **conn**: Configuration for each VPN connection, including details such as encryption, authentication, and IP addresses.
3. **secret**: Pre-shared keys or other authentication methods used to authenticate connections.
Here’s an example of a minimal ipsec.conf structure:
ini
config setup
protostack=netkey
interfaces=”ipsec0″
config setup:
protostack=netkey: Defines the protocol stack used for IPsec. The netkey stack is commonly used in Linux for IPsec VPNs.
interfaces=”ipsec0″: Specifies the network interface to be used for IPsec communication.
conn myvpn:
authby=secret: Indicates the use of pre-shared keys (PSK) for authentication. This is suitable for small-scale setups.
keyexchange=ikev2: Sets the key exchange protocol to IKEv2 (Internet Key Exchange version 2), which is more secure and efficient than IKEv1.
left=192.168.1.1 and right=192.168.2.1: The IP addresses of the two VPN endpoints. The left side typically refers to the local machine, and right refers to the remote machine.
leftsubnet=0.0.0.0/0 and rightsubnet=0.0.0.0/0: These options define the IP ranges for the local and remote subnets. A subnet of 0.0.0.0/0 means the entire network.
ike=aes256-sha2_256-modp2048: Specifies the encryption and hashing algorithms used for IKE. Here, AES-256 encryption, SHA-2 hashing, and MODP2048 for Diffie-Hellman key exchange are chosen.
esp=aes256-sha2_256: Defines the algorithms for the ESP (Encapsulating Security Payload) phase, responsible for encrypting the data.
keylife=3600: Defines the lifetime of the encryption keys (in seconds).
ikelifetime=28800: Specifies the lifetime of the IKE session in seconds.
rekey=no: Disables rekeying. If set to “yes”, the keys will be periodically renegotiated.
keyingtries=1: Defines the number of attempts to establish the VPN connection before giving up.
Adding Additional Security Settings
For enhanced security, you can configure additional options in the ipsec.conf file:
Logging:
loglevel=1: Controls the verbosity of the logs. Higher numbers provide more detailed logs.
Replay Protection:
esp=…-modp2048+: The + sign ensures that replay protection is enabled, which prevents attackers from intercepting and reusing encrypted packets.
NAT Traversal:
nat_traversal=yes: Enables NAT Traversal, which allows IPsec to function properly when one or both sides of the VPN are behind a NAT (Network Address Translation) device.
Example:
ini
conn myvpn
authby=secret
keyexchange=ikev2
left=192.168.1.1
right=192.168.2.1
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256-modp2048
keylife=3600
ikelifetime=28800
rekey=no
keyingtries=1
loglevel=1
nat_traversal=yes
Configuring IPsec with Certificates
While PSK is suitable for smaller environments, larger setups require the use of certificates for authentication. To configure certificate-based authentication, you must modify the ipsec.conf as follows:
ini
conn myvpn
authby=pubkey
keyexchange=ikev2
leftcert=mycert.pem
rightcert=remote-cert.pem
left=192.168.1.1
right=192.168.2.1
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256
In this configuration:
authby=pubkey: Indicates the use of public key authentication.
leftcert=mycert.pem and rightcert=remote-cert.pem: Specifies the local and remote certificates to be used for authentication.
Using the ipsec.conf File for Site-to-Site VPNs
When configuring a site-to-site VPN, you may need to adjust ipsec.conf to handle multiple subnets on each side. For example:
ini
conn myvpn
authby=secret
keyexchange=ikev2
left=192.168.1.1
leftsubnet=192.168.1.0/24
right=192.168.2.1
rightsubnet=192.168.2.0/24
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256
keylife=3600
This configuration specifies specific subnets (192.168.1.0/24 and 192.168.2.0/24) instead of 0.0.0.0/0, which allows more granular control over the network traffic between the two sites.
Final Configuration Steps
Once you’ve configured the ipsec.conf file, ensure that the configuration is applied by restarting the IPsec service:
sudo systemctl restart ipsec
Verify that the connection is working by checking the status:
sudo ipsec status
If the VPN connection is successful, the status command will show the active tunnel and connection details.
sudo ipsec status
Security Associations (1 up, 0 connecting):
myvpn[1]: 192.168.1.1…192.168.2.1 IKEv2, ESP in AES256-SHA2
