Skip to main content
Skip table of contents

Linux/CentOS IPsec Configuration

LogRhythm supports IPsec for Linux/CentOS via Libreswan. This section explains how to configure IPsec using Libreswan. 

The only VPN technology recommended for use with Red Hat Enterprise Linux 8 is IKE/IPsec implemented by Libreswan and the Linux kernel.

Do not use any other VPN technology without understanding the risks of doing so.

Libreswan as an IPsec VPN Implementation

Libreswan is an open-source, user-space IKE implementation. Libreswan interfaces with the Linux kernel using netlink. Packet encryption and decryption occur in the Linux kernel. Libreswan uses the Network Security Services (NSS) cryptographic library. Both Libreswan and NSS are certified for use with the Federal Information Processing Standard (FIPS) Publication 140-2.

When referring to end points (hosts), Libreswan uses the terms left/right instead of source/destination or server/client. Since IKE and IPsec are peer-to-peer protocols, in most cases you can use the same configuration on both end points. However, administrators typically designate left for the local host and right for the remote host.

IKE Protocol

IKE v1 and v2 are implemented as a user-level daemon. The IKE protocol is also encrypted. The IKE protocol uses UDP port 500 and 4500. 

For security reasons, we strongly discourage configuring the kernel with IPsec without IKE (known as manual keying).

IPsec Protocol

The IPsec protocol is implemented by the Linux kernel, and Libreswan configures the kernel to add and remove VPN tunnel configurations.

The IPsec protocol consists of two protocols:

  • Encapsulated Security Payload (ESP) - IP protocol number 50.
  • Authenticated Header (AH), IP protocol number 51.

We do not recommend using the AH protocol and encourage AH users to migrate to ESP with null encryption.

The IPsec protocol provides two modes of operation:

  • Tunnel Mode (the default)
  • Transport Mode

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.