Documentation: Libreswan Opportunistic IPsec using LetsEncrypt: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(reorder)
mNo edit summary
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==


<code>letsencrypt</code> invokes several of the utilities involved in controlling the Opportunistic Encryption system, running the specified {command} with the specified [argument] as if it had been invoked directly. More information about the utility is available at [[ Libreswan Opportunistic IPsec using LetsEncrypt ]].
Libreswan Opportunistic IPsec using LetsEncrypt is a project to create a program <code>letsencrypt</code> in <code>ipsec</code> which allows establishing the Opportunistic Encryption connections between two hosts.
The <code>letsencrypt</code> program allows using various available utilities required to establish and control an Opportunistic connection. The letsencrypt program has several features, and can be used by running a specified {command} with a specified [argument].


e.g. <code>ipsec letsencrypt --help</code> lists all the available commands and how to use them.
The man page for the program is available at <code>man ipsec letsencrypt</code>. The program creates a secure Opportunistic Connection between the hosts commonly referred to as client and server. The client connects to the server and remains anonymous, whereas the server is authenticated before connecting to it, i.e., server is not anonymous. The server uses Let's Encrypt certificates for authentication and encryption purposes. Once the initial phase of authentication and handshaking completes, the secure connection establishes, and all the traffic (traffic can be through multiple applications) between the two hosts is now encrypted.


== Prerequisite ==
== Prerequisite ==
Line 16: Line 20:
4. certbot *  
4. certbot *  


5. openssl *
5. OpenSSL *


<code>* Required only for hosts acting as servers. Not required for hosts acting as clients.</code>
<code>* Required only for hosts acting as servers. Not required for hosts acting as clients.</code>


== Installation ==
== Installation ==


To use the program one needs to have IPsec (Libreswan) installed. Libreswan installation instructions are available [https://github.com/libreswan/libreswan/blob/master/README.md here]
To use the program, one needs to have IPsec (Libreswan) installed. Libreswan installation instructions are available [https://github.com/libreswan/libreswan/blob/master/README.md here]
 


== Available [arguments] ==
== Available [arguments] ==
Line 32: Line 34:
Available [arguments]
Available [arguments]


<pre>-server, -client, test, generatecertificate hostname, updatecertificate hostname, help, -t, -gc hostname, -uc hostname, -h</pre>
<pre>--server, --client, --test, --generate-certificate hostname, --renew hostname, --help, --disable</pre>
 
Note - To get the list of all acceptable arguments run <code>ipsec letsencrypt -h</code> OR <code>ipsec letsencrypt help</code>


Note - To get the list of all acceptable arguments run <code>ipsec letsencrypt --help</code>


== Configuration Used ==
== Configuration Used ==
Line 42: Line 43:


1. The server configuration (<code>oe-letsencrypt-server.conf</code>) is as follows:
1. The server configuration (<code>oe-letsencrypt-server.conf</code>) is as follows:
'''Note - please add your server dns name in the place of''' <code>leftcert=YourServerDNSName</code>. E.g. <code>leftcert=letsencrypt.libreswan.org</code>


<pre>
<pre>
conn clear-or-private
conn clear-or-private
leftid=%fromcert
        leftid=%fromcert
leftrsasigkey=%cert
        leftrsasigkey=%cert
# nickname of your letsencrypt certificate imported to NSS
        # name of your generated letsencrypt certificate e.g. letsencrypt.libreswan.org
leftcert=letsencrypt.libreswan.org
        leftcert=YourServerDNSName
leftauth=rsasig
        leftauth=rsasig
left=%defaultroute
        left=%defaultroute
#leftmodecfgclient=yes
        #leftmodecfgclient=yes
#
        #
rightid=%null
        rightid=%null
rightauth=null
        rightauth=null
right=%opportunisticgroup
        right=%opportunisticgroup
#
        #
negotiationshunt=passthrough
        negotiationshunt=passthrough
failureshunt=passthrough
        failureshunt=passthrough
type=tunnel
        type=tunnel
ikev2=insist
        ikev2=insist
sendca=issuer
        sendca=issuer
auto=add
        auto=add
#
        #
rightaddresspool=100.64.0.1-100.64.255.254
        rightaddresspool=100.64.0.1-100.64.255.254
rightmodecfgclient=yes
        rightmodecfgclient=yes
</pre>
</pre>


Line 73: Line 76:
<pre>
<pre>
conn private-or-clear
conn private-or-clear
rightid=%fromcert
    rightid=%fromcert
rightrsasigkey=%cert
    rightrsasigkey=%cert
rightauth=rsasig
    rightauth=rsasig
right=%opportunisticgroup
    right=%opportunisticgroup
rightmodecfgclient=yes
    rightmodecfgclient=yes
rightcat=yes
    rightcat=yes
# Any CA will do because we only load the LetsEncrypt CA
    # Any CA will do because we only load the LetsEncrypt CA
rightca=%any
    rightca=%any
#
    #
left=%defaultroute
    left=%defaultroute
leftid=%null
    leftid=%null
leftauth=null
    leftauth=null
leftmodecfgclient=yes
    leftmodecfgclient=yes
leftcat=yes
    leftcat=yes
#
    #
narrowing=yes
    narrowing=yes
type=tunnel
    type=tunnel
ikev2=insist
    ikev2=insist
negotiationshunt=drop
    negotiationshunt=drop
failureshunt=passthrough
    failureshunt=passthrough
keyingtries=1
    keyingtries=1
retransmit-timeout=3s
    retransmit-timeout=3s
auto=ondemand
    auto=ondemand
</pre>
</pre>


* The default configuration file <code>private-or-clear</code> present in /etc/ipsec.d/policies/ contains the following lines:
<pre>
# The libreswan letsenccrypt test server - this can be left enabled at all times
193.110.157.131/32
# Attempt OE IPsec using letsencrypt for the entire Internet - Comment out to disable
0.0.0.0/0
</pre>
If you are trying to connect to a server, you should add the IP of the server to this file OR another configuration file which is in use.
Note - The OE attempt to the entire internet is enabled by default. Which means, for every host, you try to connect the OE connection establishing is always attempted. You can disable this by commenting the line <code>0.0.0.0/0</code> .


== Functions of various [arguments] ==
== Functions of various [arguments] ==
Line 104: Line 118:




1. <code>ipsec letsencrypt -client</code> OR <code>ipsec letsencrypt -server</code>
1. <code>ipsec letsencrypt --client</code>  


For the initial setup, it is to be run when installing the project for the first time. This [argument] performs the following tasks:
2. <code>ipsec letsencrypt --server</code>
 
It is run for the initial setup when installing the project for the first time. The [argument] performs the following tasks:


* performs the 1st time server/client Installation.
* performs the 1st time server/client Installation.
Line 120: Line 136:
* Establishes a secure OE connection by sending pings to the letsencrypt.libreswan.org server.
* Establishes a secure OE connection by sending pings to the letsencrypt.libreswan.org server.
* Checks for the success of establishing the OE connection.
* Checks for the success of establishing the OE connection.
* Displays OE connection status to user.
* Displays OE connection status to the user.
 
Note - The command creates a secure Opportunistic Connection between the hosts commonly referred to as client and server. The client connects to the server and remains anonymous, whereas the server is authenticated before connecting to it. The server is not anonymous. The server uses Let's Encrypt certificates for authentication and encryption purposes.


Sample Output -
Sample Output -
<pre>
<pre>
[root@linux]# ipsec letsencrypt -client
[root@linux]# ipsec letsencrypt --client
Installing for Client.
Installing for Client.
Downloading the letsencrypt certificates
Downloading the letsencrypt certificates
Importing the downloaded certificates into the database
Importing the downloaded certificates into the database
Saving the required configuration
Saving the required configuration
cp: cannot stat '@FINALDOCDIR@/examples/oe-letsencrypt-client.conf': No such file or directory
To confirm the success try running 'ipsec letsencrypt --test' on the client
Sending ping(IPv4) to letsencrypt.libreswan.org server.
OE Connection established successfully.
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32
</pre>
</pre>




2. <code>ipsec letsencrypt test</code> OR <code>ipsec letsencrypt -t</code>
3. <code>ipsec letsencrypt --test</code>


For testing the configuration/connections. This [argument] checks for the success of establishing an OE connection, and performs the following tasks:
For testing the configuration/connections. The [argument] checks for the success of establishing an OE connection and performs the following tasks:


* Check for any existing OE connections.
* Check for any existing OE connections.
Line 150: Line 164:
Sample Output -
Sample Output -
<pre>
<pre>
[root@linux]# ipsec letsencrypt -t
[root@linux]# ipsec letsencrypt --test
Existing OE Connections Found. Please stop the connections using 'ipsec restart' and try again.
Existing OE Connections Found. Please stop the connections using 'ipsec restart' and try again.
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
Line 157: Line 171:




3. <code>ipsec letsencrypt generatecertificate hostname</code> OR <code>ipsec letsencrypt -gc hostname</code>
4. <code>ipsec letsencrypt --generate-certificate hostname</code>


Note - hostname refers to the name of the host. e.g. <code>libreswan.org</code>.  
Note - hostname refers to the name of the host. e.g. <code>libreswan.org</code>.  


For generating the certificate. This [argument] is used for Generating the certificate using Certbot, and performing the following tasks:
For generating the certificate. The [argument] generates the certificate using Certbot and performing the following tasks:


* Check if certbot is installed.
* Check if certbot is installed.
Line 167: Line 181:
* Sets and restores the secure umask at appropriate locations.
* Sets and restores the secure umask at appropriate locations.
* Creates temporary directories for downloading the certificates.
* Creates temporary directories for downloading the certificates.
* Generating #pkcs12 file and importing it in the nss database.
* Generating #pkcs12 file and importing it in the NSS database.
* Displays the certificates installed in nss database.
* Displays the certificates installed in NSS database.
* Generates the certbot configuration for reusing the private key.
* Generates the certbot configuration for reusing the private key.
* Creates a crontab for automatic certificate renewals.
* Creates a crontab for automatic certificate renewals.
Line 174: Line 188:
Sample Output -
Sample Output -
<pre>
<pre>
[root@linux]# ipsec letsencrypt -gc letsencrypt.org
[root@linux]# ipsec letsencrypt --generate-certificate letsencrypt.libreswan.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Saving debug log to /var/log/letsencrypt/letsencrypt.libreswan.org
Plugins selected: Authenticator webroot, Installer None
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Line 182: Line 196:
Cert not yet due for renewal
Cert not yet due for renewal


You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
You have an existing certificate that has the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf)
(ref: /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf)


Line 225: Line 239:




4. <code>certbot renew --deploy-hook 'ipsec letsencrypt -ug hostname'</code>
5. <code>ipsec letsencrypt --renew hostname</code>
 
Note -  
 
1. hostname refers to the name of the host. e.g. <code>libreswan.org</code>.


Note - hostname refers to the name of the host. e.g. <code>libreswan.org</code>.
2. The above command is an alias to <code>certbot renew --deploy-hook 'ipsec letsencrypt --update-certificate hostname'</code>


For updating the generated certificate (keeping the private key same). This [argument] is used to update the certificate keeping the private key same, and performs the following tasks:
For updating the generated certificate (keeping the private key same). This [argument] is used to update the certificate keeping the private key same, and performs the following tasks:
Line 236: Line 254:
* Creates temporary directories for downloading the certificates.
* Creates temporary directories for downloading the certificates.
* Generating #pkcs12 file.
* Generating #pkcs12 file.
* Importing the certificate in nss database.
* Importing the certificate in NSS database.
* Displaying the certificates installed in nss database.
* Displaying the certificates installed in NSS database.
* Restarting the IPsec to load the latest updated certificate.
* Restarting the IPsec to load the latest updated certificate.


Sample Output -
Sample Output -
<pre>
<pre>
[root@linux]# certbot renew --deploy-hook 'ipsec letsencrypt -ug letsencrypt.org'
[root@linux]# ipsec letsencrypt --renew letsencrypt.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Line 274: Line 292:
</pre>
</pre>


6. <code>ipsec letsencrypt --disable</code>


5. <code>ipsec letsencrypt -h</code> OR <code>ipsec letsencrypt help</code>
The command disables the IPsec service by deleting all the configuration files present in /etc/ipsec.d/ directory. However, for it to take effect, one needs to restart the IPsec service.
 
Sample Output -
<pre>
[root@linux]# ipsec letsencrypt --disable
Please restart the IPsec service using 'ipsec restart' for changes to take effect.
</pre>
 
 
7. <code>ipsec letsencrypt --help</code>


For providing information regarding various {commands} and [arguments].
For providing information regarding various {commands} and [arguments].
Line 281: Line 309:
Sample Output -
Sample Output -
<pre>
<pre>
[root@linux]# ipsec letsencrypt -h
[root@linux]# ipsec letsencrypt --help
Usage: ipsec letsencrypt [arguments]
Usage: ipsec letsencrypt [arguments]
Available [arguments]
Available [arguments]
-server, -client, test, generatecertificate hostname, updatecertificate hostname, help, -t, -gc hostname, -uc hostname, -h
--server, --client, --test, --generate-certificate hostname, --renew hostname, --help, --disable
 
--client :  For initial client setup.
usage: 'ipsec letsencrypt --client'
 
--server :  For initial server setup.
usage: 'ipsec letsencrypt --server'
 
--test  :  For testing the configuration/connections.
usage: 'ipsec letsencrypt --test'
 
--generate-certificate hostname :  For generating the certificate.
usage: 'ipsec letsencrypt --generate-certificate hostname'
 
--renew hostname: For updating the generated certificate (keeping the private key same) use the following command.
usage: 'ipsec letsencrypt --renew hostname'
 
--disable :  For disabling IPsec service.
usage: 'ipsec letsencrypt --disable'
</pre>
 
 
== Testing and Debugging ==
 
* To see all the active IPsec OE tunnels (and the amount of traffic encrypted)
<pre>
sudo ipsec whack --trafficstatus
</pre>
 
Sample Output -
<pre>
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32
</pre>


-server, -client :  For initial server/client setup.
Note - Inactive tunnels are torn down (once an hour)
usage: 'ipsec letsencrypt -client' OR 'ipsec letsencrypt -server'


test, -t  :  For testing the configuration/connections.
* To see all the IP addresses that were tried, but did not offer IPsec OE
usage: 'ipsec letsencrypt test' OR 'ipsec letsencrypt -t'
<pre>
sudo ipsec whack --shuntstatus
</pre>


generatecertificate hostname, -gc hostname For generating the certificate.
Sample Output -
usage: 'ipsec letsencrypt generatecertificate hostname' OR 'ipsec letsencrypt -gc hostname'
<pre>
000 Bare Shunt list:
000  
</pre>


For updating the generated certificate (keeping the private key same) use the following command.
* To see the inside state of the libreswan pluto daemon
usage: certbot renew --deploy-hook 'ipsec letsencrypt -ug hostname'
<pre>
sudo ipsec status
</pre>
</pre>
Sample Output -
<pre>
000 using kernel interface: netkey
.
.
.
.
000 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131 esp.affba9fa@193.110.157.131
esp.a390a2a8@192.168.43.235 tun.0@193.110.157.131 tun.0@192.168.43.235 ref=0 refhim=0 Traffic: ESPin=0B ESPout=252B! ESPmax=0B
000 
000 Bare Shunt list:
000 
</pre>
* To restart IPsec OE
Note - It will destroy all your existing OE connections.
<pre>
sudo ipsec restart
</pre>
* To verify IPsec (Libreswan) installation and check configuration files
<pre>
sudo ipsec verify
</pre>
Sample Output -
<pre>
Verifying installed system and configuration files
Version check and ipsec on-path                      [OK]
Libreswan 3.29 (netkey) on 5.1.20-300.fc30.x86_64
Checking for IPsec support in kernel                  [OK]
NETKEY: Testing XFRM related proc values
        ICMP default/send_redirects                  [OK]
        ICMP default/accept_redirects                [OK]
        XFRM larval drop                            [OK]
Pluto ipsec.conf syntax                              [OK]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
Pluto listening for IKE on udp 500                  [OK]
Pluto listening for IKE/NAT-T on udp 4500            [OK]
Pluto ipsec.secret syntax                            [OK]
Checking 'ip' command                                [OK]
Checking 'iptables' command                          [OK]
Checking 'prelink' command does not interfere with FIPS    [OK]
Checking for obsolete ipsec.conf options              [OK]
</pre>
* To delete the configuration files present in /etc/ipsec.d
<pre>
sudo ipsec letsencrypt --disable
</pre>
* Manual debug version of OE request
<pre>
sudo ipsec restart
sleep 5
sudo ipsec whack --oppohere YOURIP --oppothere REMOTEIP
</pre>
e.g.
<pre>
sudo ipsec restart
sleep 5
ipsec whack --oppohere 169.149.111.125 --oppothere 193.110.157.131
</pre>
Sample Output -
<pre>
002 initiate on demand from 142.93.216.119:0 to 193.110.157.131:0 proto=0 because: whack
133 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #1: initiate
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local IKE proposals for private-or-clear#193.110.157.131/326,
.
.
.
HMAC_SHA2_256_128; ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: certificate verified OK: CN=letsencrypt.libreswan.org
003 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: Authenticated using RSA
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: negotiated connection [142.93.216.119-142.93.216.119:0-65535 0] ->
[193.110.157.131-193.110.157.131:0-65535 0]
</pre>
== Common Errors ==
* no routed template covers this pair error while running the command <code>sudo ipsec whack --oppohere 76.10.157.68 --oppothere 1.2.3.4</code>
This is due to the fact that the target IP address (1.2.3.4) is not covered by <code>/etc/ipsec.d/policies/private*</code>
* Failed to establish an OE connection.
If you get this error, one of the possible reasons might be, you have more than one configuration(.conf) files in the /etc/ipsec.d directory.

Latest revision as of 11:47, 5 December 2019

Introduction

Libreswan Opportunistic IPsec using LetsEncrypt is a project to create a program letsencrypt in ipsec which allows establishing the Opportunistic Encryption connections between two hosts. The letsencrypt program allows using various available utilities required to establish and control an Opportunistic connection. The letsencrypt program has several features, and can be used by running a specified {command} with a specified [argument].

e.g. ipsec letsencrypt --help lists all the available commands and how to use them.

The man page for the program is available at man ipsec letsencrypt. The program creates a secure Opportunistic Connection between the hosts commonly referred to as client and server. The client connects to the server and remains anonymous, whereas the server is authenticated before connecting to it, i.e., server is not anonymous. The server uses Let's Encrypt certificates for authentication and encryption purposes. Once the initial phase of authentication and handshaking completes, the secure connection establishes, and all the traffic (traffic can be through multiple applications) between the two hosts is now encrypted.

Prerequisite

The following packages are required to avail full features of the `letsencrypt` program:

1. IPsec - Libreswan

2. certutil

3. wget

4. certbot *

5. OpenSSL *

* Required only for hosts acting as servers. Not required for hosts acting as clients.

Installation

To use the program, one needs to have IPsec (Libreswan) installed. Libreswan installation instructions are available here

Available [arguments]

ipsec letsencrypt [arguments]

Available [arguments]

--server, --client, --test, --generate-certificate hostname, --renew hostname, --help, --disable

Note - To get the list of all acceptable arguments run ipsec letsencrypt --help

Configuration Used

There are 2 default configurations, one for the server (oe-letsencrypt-server.conf) and other for the client (oe-letsencrypt-client.conf).

1. The server configuration (oe-letsencrypt-server.conf) is as follows:

Note - please add your server dns name in the place of leftcert=YourServerDNSName. E.g. leftcert=letsencrypt.libreswan.org

conn clear-or-private
        leftid=%fromcert
        leftrsasigkey=%cert
        # name of your generated letsencrypt certificate e.g. letsencrypt.libreswan.org
        leftcert=YourServerDNSName
        leftauth=rsasig
        left=%defaultroute
        #leftmodecfgclient=yes
        #
        rightid=%null
        rightauth=null
        right=%opportunisticgroup
        #
        negotiationshunt=passthrough
        failureshunt=passthrough
        type=tunnel
        ikev2=insist
        sendca=issuer
        auto=add
        #
        rightaddresspool=100.64.0.1-100.64.255.254
        rightmodecfgclient=yes


2. The client configuration (oe-letsencrypt-client.conf) is as follows:

conn private-or-clear
    rightid=%fromcert
    rightrsasigkey=%cert
    rightauth=rsasig
    right=%opportunisticgroup
    rightmodecfgclient=yes
    rightcat=yes
    # Any CA will do because we only load the LetsEncrypt CA
    rightca=%any
    #
    left=%defaultroute
    leftid=%null
    leftauth=null
    leftmodecfgclient=yes
    leftcat=yes
    #
    narrowing=yes
    type=tunnel
    ikev2=insist
    negotiationshunt=drop
    failureshunt=passthrough
    keyingtries=1
    retransmit-timeout=3s
    auto=ondemand
  • The default configuration file private-or-clear present in /etc/ipsec.d/policies/ contains the following lines:
# The libreswan letsenccrypt test server - this can be left enabled at all times
193.110.157.131/32
# Attempt OE IPsec using letsencrypt for the entire Internet - Comment out to disable
0.0.0.0/0

If you are trying to connect to a server, you should add the IP of the server to this file OR another configuration file which is in use.

Note - The OE attempt to the entire internet is enabled by default. Which means, for every host, you try to connect the OE connection establishing is always attempted. You can disable this by commenting the line 0.0.0.0/0 .

Functions of various [arguments]

Note - OE refers to Opportunistic Encryption.


1. ipsec letsencrypt --client

2. ipsec letsencrypt --server

It is run for the initial setup when installing the project for the first time. The [argument] performs the following tasks:

  • performs the 1st time server/client Installation.
  • checks if the command is run as root.
  • Sets and restores the secure umask at appropriate locations.
  • Creates temporary directories for downloading the certificates.
  • Checks for any existing OE connections.
  • Downloads the LetsEncrypt CA and intermediate certificates.
  • Checks if NSS database exists.
  • Initializes the NSS database and import the LetsEncrypt certificates in it.
  • Saves the required client/server configuration in the /etc/ipsec.d directory.
  • Restores the security context of the saved configuration using restorecon (if it is available on the system).
  • Establishes a secure OE connection by sending pings to the letsencrypt.libreswan.org server.
  • Checks for the success of establishing the OE connection.
  • Displays OE connection status to the user.

Note - The command creates a secure Opportunistic Connection between the hosts commonly referred to as client and server. The client connects to the server and remains anonymous, whereas the server is authenticated before connecting to it. The server is not anonymous. The server uses Let's Encrypt certificates for authentication and encryption purposes.

Sample Output -

[root@linux]# ipsec letsencrypt --client
Installing for Client.
Downloading the letsencrypt certificates
Importing the downloaded certificates into the database
Saving the required configuration
To confirm the success try running 'ipsec letsencrypt --test' on the client


3. ipsec letsencrypt --test

For testing the configuration/connections. The [argument] checks for the success of establishing an OE connection and performs the following tasks:

  • Check for any existing OE connections.
  • checks if the command is run as root.
  • Establish an OE connection.
  • Sending pings to the letsencrypt.libreswan.org server.
  • Checking the success of establishing OE connection.
  • Displaying connection status to the user.

Sample Output -

[root@linux]# ipsec letsencrypt --test
Existing OE Connections Found. Please stop the connections using 'ipsec restart' and try again.
006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32


4. ipsec letsencrypt --generate-certificate hostname

Note - hostname refers to the name of the host. e.g. libreswan.org.

For generating the certificate. The [argument] generates the certificate using Certbot and performing the following tasks:

  • Check if certbot is installed.
  • checks if the command is run as root.
  • Sets and restores the secure umask at appropriate locations.
  • Creates temporary directories for downloading the certificates.
  • Generating #pkcs12 file and importing it in the NSS database.
  • Displays the certificates installed in NSS database.
  • Generates the certbot configuration for reusing the private key.
  • Creates a crontab for automatic certificate renewals.

Sample Output -

[root@linux]# ipsec letsencrypt --generate-certificate letsencrypt.libreswan.org
Saving debug log to /var/log/letsencrypt/letsencrypt.libreswan.org
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): letsencrypt.libreswan.org
Cert not yet due for renewal

You have an existing certificate that has the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/letsencrypt.libreswan.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/letsencrypt.libreswan.org/privkey.pem
   Your cert will expire on 2019-11-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Enter Export Password:
Verifying - Enter Export Password:
Importing the certificate in database.
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

isrgrootx1                                                   CT,,
trustid-x3-root                                              CT,,
letsencryptauthorityx3                                       ,,   
lets-encrypt-x3-cross-signed                                 ,,   
letsencrypt.libreswan.org                                    u,u,u
To confirm the success try running 'ipsec letsencrypt -t' on the client


5. ipsec letsencrypt --renew hostname

Note -

1. hostname refers to the name of the host. e.g. libreswan.org.

2. The above command is an alias to certbot renew --deploy-hook 'ipsec letsencrypt --update-certificate hostname'

For updating the generated certificate (keeping the private key same). This [argument] is used to update the certificate keeping the private key same, and performs the following tasks:

  • checks if the command is run as root.
  • Updating the certificate using Certbot keeping the private key same.
  • Sets and restores the secure umask at appropriate locations.
  • Creates temporary directories for downloading the certificates.
  • Generating #pkcs12 file.
  • Importing the certificate in NSS database.
  • Displaying the certificates installed in NSS database.
  • Restarting the IPsec to load the latest updated certificate.

Sample Output -

[root@linux]# ipsec letsencrypt --renew letsencrypt.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/letsencrypt.libreswan.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/letsencrypt.libreswan.org/fullchain.pem expires on 2019-11-03 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enter Export Password:
Verifying - Enter Export Password:
Importing the certificate in the database.
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Displaying the certificates installed in the database.

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

isrgrootx1                                                   CT,,
trustid-x3-root                                              CT,,
letsencryptauthorityx3                                       ,,   
lets-encrypt-x3-cross-signed                                 ,,   
letsencrypt.libreswan.org                                    u,u,u
To confirm the success try running 'ipsec letsencrypt -t' on the client

6. ipsec letsencrypt --disable

The command disables the IPsec service by deleting all the configuration files present in /etc/ipsec.d/ directory. However, for it to take effect, one needs to restart the IPsec service.

Sample Output -

[root@linux]# ipsec letsencrypt --disable
Please restart the IPsec service using 'ipsec restart' for changes to take effect.


7. ipsec letsencrypt --help

For providing information regarding various {commands} and [arguments].

Sample Output -

[root@linux]# ipsec letsencrypt --help
Usage: ipsec letsencrypt [arguments]
Available [arguments]
--server, --client, --test, --generate-certificate hostname, --renew hostname, --help, --disable

--client :  For initial client setup.
usage: 'ipsec letsencrypt --client'

--server :  For initial server setup.
usage: 'ipsec letsencrypt --server'

--test  :  For testing the configuration/connections.
usage: 'ipsec letsencrypt --test'

--generate-certificate hostname :  For generating the certificate.
usage: 'ipsec letsencrypt --generate-certificate hostname'

--renew hostname: For updating the generated certificate (keeping the private key same) use the following command.
usage: 'ipsec letsencrypt --renew hostname'

--disable :  For disabling IPsec service.
usage: 'ipsec letsencrypt --disable'


Testing and Debugging

  • To see all the active IPsec OE tunnels (and the amount of traffic encrypted)
sudo ipsec whack --trafficstatus

Sample Output -

006 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131, type=ESP, add_time=1565535553,
inBytes=0, outBytes=252, id='CN=letsencrypt.libreswan.org', lease=100.64.0.1/32

Note - Inactive tunnels are torn down (once an hour)

  • To see all the IP addresses that were tried, but did not offer IPsec OE
sudo ipsec whack --shuntstatus

Sample Output -

000 Bare Shunt list:
000  
  • To see the inside state of the libreswan pluto daemon
sudo ipsec status

Sample Output -

000 using kernel interface: netkey
.
.
.
.
000 #4: "private-or-clear#193.110.157.131/32"[2] 100.64.0.1/32=== ...193.110.157.131 esp.affba9fa@193.110.157.131 
esp.a390a2a8@192.168.43.235 tun.0@193.110.157.131 tun.0@192.168.43.235 ref=0 refhim=0 Traffic: ESPin=0B ESPout=252B! ESPmax=0B 
000  
000 Bare Shunt list:
000  
  • To restart IPsec OE

Note - It will destroy all your existing OE connections.

sudo ipsec restart
  • To verify IPsec (Libreswan) installation and check configuration files
sudo ipsec verify

Sample Output -

Verifying installed system and configuration files

Version check and ipsec on-path                       [OK]
Libreswan 3.29 (netkey) on 5.1.20-300.fc30.x86_64
Checking for IPsec support in kernel                  [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                  [OK]
         ICMP default/accept_redirects                [OK]
         XFRM larval drop                             [OK]
Pluto ipsec.conf syntax                               [OK]
Checking rp_filter                                    [OK]
Checking that pluto is running                        [OK]
 Pluto listening for IKE on udp 500                   [OK]
 Pluto listening for IKE/NAT-T on udp 4500            [OK]
 Pluto ipsec.secret syntax                            [OK]
Checking 'ip' command                                 [OK]
Checking 'iptables' command                           [OK]
Checking 'prelink' command does not interfere with FIPS    [OK]
Checking for obsolete ipsec.conf options              [OK]
  • To delete the configuration files present in /etc/ipsec.d
sudo ipsec letsencrypt --disable
  • Manual debug version of OE request
sudo ipsec restart
sleep 5
sudo ipsec whack --oppohere YOURIP --oppothere REMOTEIP 

e.g.

sudo ipsec restart
sleep 5
ipsec whack --oppohere 169.149.111.125 --oppothere 193.110.157.131

Sample Output -

002 initiate on demand from 142.93.216.119:0 to 193.110.157.131:0 proto=0 because: whack
133 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #1: initiate
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131: constructed local IKE proposals for private-or-clear#193.110.157.131/326,
.
.
.
HMAC_SHA2_256_128; ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: certificate verified OK: CN=letsencrypt.libreswan.org
003 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: Authenticated using RSA
002 "private-or-clear#193.110.157.131/32"[1] ...193.110.157.131 #2: negotiated connection [142.93.216.119-142.93.216.119:0-65535 0] -> 
[193.110.157.131-193.110.157.131:0-65535 0]


Common Errors

  • no routed template covers this pair error while running the command sudo ipsec whack --oppohere 76.10.157.68 --oppothere 1.2.3.4

This is due to the fact that the target IP address (1.2.3.4) is not covered by /etc/ipsec.d/policies/private*

  • Failed to establish an OE connection.

If you get this error, one of the possible reasons might be, you have more than one configuration(.conf) files in the /etc/ipsec.d directory.