Linux/CentOS IPsec Configuration
LogRhythm supports IPsec for Linux/CentOS via Libreswan. This section explains how to configure IPsec using Libreswan.
The only VPN technology recommended for use with Red Hat Enterprise Linux 8 is IKE/IPsec implemented by Libreswan and the Linux kernel.
Do not use any other VPN technology without understanding the risks of doing so.
Libreswan as an IPsec VPN Implementation
Libreswan is an open-source, user-space IKE implementation. Libreswan interfaces with the Linux kernel using netlink. Packet encryption and decryption occur in the Linux kernel. Libreswan uses the Network Security Services (NSS) cryptographic library. Both Libreswan and NSS are certified for use with the Federal Information Processing Standard (FIPS) Publication 140-2.
When referring to end points (hosts), Libreswan uses the terms left/right instead of source/destination or server/client. Since IKE and IPsec are peer-to-peer protocols, in most cases you can use the same configuration on both end points. However, administrators typically designate left for the local host and right for the remote host.
IKE Protocol
IKE v1 and v2 are implemented as a user-level daemon. The IKE protocol is also encrypted. The IKE protocol uses UDP port 500 and 4500.
For security reasons, we strongly discourage configuring the kernel with IPsec without IKE (known as manual keying).
IPsec Protocol
The IPsec protocol is implemented by the Linux kernel, and Libreswan configures the kernel to add and remove VPN tunnel configurations.
The IPsec protocol consists of two protocols:
- Encapsulated Security Payload (ESP) - IP protocol number 50.
- Authenticated Header (AH), IP protocol number 51.
The IPsec protocol provides two modes of operation:
- Tunnel Mode (the default)
- Transport Mode