Skip to main content
Skip table of contents

Configure IPsec on Linux Machine

Install Libreswan

Before beginning, make sure packet forwarding is enabled on the Linux distribution.

To download the latest source code of Libreswan, visit the Libreswan Downloads page.


  1. Run the following commands as root:

    CODE 
    yum -y update


yum -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev libcurl4-nss-dev flex bison gcc make


yum install wget

  2. Install Libreswan:

    CODE 
    yum install libreswan

  3. Start the IPsec service and enable the service to be started:

    CODE 
    systemctl enable ipsec

  4. Configure the firewall to allow 500 and 4500/UDP ports for the IKE, ESP, and AH protocols by adding the IPsec service:

    CODE 
     #firewall-cmd --add-service="ipsec"

# firewall-cmd --runtime-to-permanent

Initialize the NSS Database

After a new installation of Libreswan, the NSS database should be initialized as part of the installation process. Before you start a new database, remove the old database. 

  1. Use the following commands to remove the old database:

    CODE 
    ~]# systemctl stop ipsec
    CODE 
    ~]# rm /etc/ipsec.d/*db

  2. Enable IPsec:

    CODE 
    systemctl enable ipsec
    Libreswan requires the firewall to allow the following packets: UDP port 500 and 4500 for the Internet Key Exchange (IKE) protocol. Protocol 50 for Encapsulated Security Payload (ESP) IPsec packets. Protocol 51 for Authenticated Header (AH) IPsec packets (uncommon).

  3. Check IPsec status:

    CODE 
    $ipsec setup status

  4. Initialize the new NSS database, run the following command as root:

    CODE 
    ~]# ipsec initnss


Create Host-to-Host VPN

  1. Go to the /etc/ipsec.d/ directory and create a new my_host-to-host.conf file.

  2. Edit the file, and enter all the details shown below:

    It is mandatory to maintain the gap of one tab between conn mytunnel and auto=start.

    CODE 
    conn mytunnel

       auto=start
       keyexchange=ike
       phase2=esp
       pfs=no
       type=tunnel
       authby=secret
       leftid=(Domain name/ip of linux machine)
       left=(ip address of linux machine)
       right=(ip address of Windows machine)
       rightid=(Domain name of Windows machine)

    For example, see the screenshot below:

    SettingValue
    Connection namemytunnel
    leftid10.1.0.127 (Linux machine)
    right

    10.1.22.59 (Windows machine)

    rightidRinkitest.QA.schq.secious.com (FQDN domain name of Windows machine)

  3. Go to the /etc folder, and make the following edits in the ipsec.secrets file:

    CODE 
    (ip adddress of linux machine)<space>( ip address of windows machine)<space> : <space>PSK<space>"Shared key which we passed for Windows machine"

  4. Start the IPsec service:

    CODE 
    systemctl start ipsec

  5. Verify the tunnel is up and running:

    CODE 
    ipsec auto --add mytunnel

    If you receive any error message after running the above command, you have entered the incorrect values in either your host-to-host.conf file or your ipsec.secrets file. You will need to go back and enter the correct values.

  6. Restart the IPsec service:

    CODE 
    systemctl restart ipsec

  7. You have completed configuring IPsec between Windows and Linux machines.

  8. You can verify that traffic is coming in properly and is encrypted by using Wireshark:


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close