Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 20 million monthly users. It takes less than a minute. Get new users downloading your project releases today!
Posted
by
michael
from the lock-stock-and-barrel dept.
LiquidPC writes: "The folks over at ONLamp have a new article which discusses IP security, including details on setting up Internet Key Exchange,
policies, and using racoon."
This discussion has been archived.
No new comments can be posted.
We tried this at work, but we used Windows 2000 servers. However we felt that it was very hard to make it work over firewalls, since so many ports are used (might be different in BSD). We ended up using own ip-segment for those servers without ipsec..
Pre-Shared Keys are the first step in getting IPSec running, but it really doesn't fulfil the role that IPSec was intended for: securing rlogin/rsh/rcp, ftp, etc. on an ad-hoc basis using the Transport Mode AH/ESP.
For that you want to set up "Transport Mode" (as opposed to Tunnel mode) IPSec policies, and you don't want to use pre-shared-keys (ie. that must be kept in sync on both ends of any IPSec connection).
What you want to do is use OpenSSL or the SSL certificate utilities that come with Apache-SSL (or is it mod-ssl?) to make a Certificate Authority (CA) key pair for yourself. You want to keep those on removable media; don't leave them laying around on some hard-drive. Then, (this is a repeated-per-host step) use the same utilities and your new CA to make keys and x509 certificates for each of the computers' IP addresses that you intend to secure with IPSec. Trust me on this one: make sure you make keys for both IPv4 and IPv6 for each IP address that appears in netstat -rn output.
Setting hosts up for the public-keys you just made: You need to distribue a copy of the CA public key to each machine wherever your OpenSSL(1) configuration likes CA public keys. Put the host keys somewhere like/usr/local/etc/racoon/hostkeys and make sure only root (the racoon daemon) has access to the private keys. Your standard racoon.conf file will need a "path certificate" line that specifies your hostkeys directory as well as your systems' OpenSSL certificate areas. You should start doing these steps as part of any standard installation procedure if you have one.
Once you have keys set up on two hosts, set them up with IPSec policies to allow rlogin over authenticated ESP encrypted connections only. If you didn't set up keys (correctly), rlogin will be firewalled out by the IPSec policy. If you got it all right, you should be able to rlogin between the hosts.
man pages of interest:
openssl(1)
This is a couple of days' worth of homework if you're not already familliar. Also look at/etc/ssl/openssl.cnf (which should be fully customised as a prerequisite to this project).
We tried this at work (Score:1)
Pre Shared Keys are step 1. Next: Public Keys (Score:5, Informative)
Pre-Shared Keys are the first step in getting IPSec running, but it really doesn't fulfil the role that IPSec was intended for: securing rlogin/rsh/rcp, ftp, etc. on an ad-hoc basis using the Transport Mode AH/ESP.
For that you want to set up "Transport Mode" (as opposed to Tunnel mode) IPSec policies, and you don't want to use pre-shared-keys (ie. that must be kept in sync on both ends of any IPSec connection).
What you want to do is use OpenSSL or the SSL certificate utilities that come with Apache-SSL (or is it mod-ssl?) to make a Certificate Authority (CA) key pair for yourself. You want to keep those on removable media; don't leave them laying around on some hard-drive. Then, (this is a repeated-per-host step) use the same utilities and your new CA to make keys and x509 certificates for each of the computers' IP addresses that you intend to secure with IPSec. Trust me on this one: make sure you make keys for both IPv4 and IPv6 for each IP address that appears in netstat -rn output.
Setting hosts up for the public-keys you just made: You need to distribue a copy of the CA public key to each machine wherever your OpenSSL(1) configuration likes CA public keys. Put the host keys somewhere like /usr/local/etc/racoon/hostkeys and make sure only root (the racoon daemon) has access to the private keys. Your standard racoon.conf file will need a "path certificate" line that specifies your hostkeys directory as well as your systems' OpenSSL certificate areas. You should start doing these steps as part of any standard installation procedure if you have one.
Once you have keys set up on two hosts, set them up with IPSec policies to allow rlogin over authenticated ESP encrypted connections only. If you didn't set up keys (correctly), rlogin will be firewalled out by the IPSec policy. If you got it all right, you should be able to rlogin between the hosts.
man pages of interest:
This is a couple of days' worth of homework if you're not already familliar. Also look at