IPSec

From OSNEXUS Online Documentation Site
Revision as of 18:33, 1 December 2015 by Qadmin (talk | contribs) (Created page with "= Internet Protocol Security (IPsec) = IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-netw...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Internet Protocol Security (IPsec)

IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). wikipedia

Host to Host Example

In this example we will use a pre-shared key to encrypt traffic between two hosts. 

QuantaStor System
Name: qs1.example.net
Address: 192.168.0.2

Ubuntu Client
Name: client1.example.net
Address: 192.168.0.3

Setup

Here are the steps that need to be run on the QuantaStor system as root

  1. Install strongSwan
    2. apt-get update
apt-get install strongswan
  2. Configure shared key
    3. The following command will encode some random data which we will use as the shared key. 
    echo `dd if=/dev/urandom bs=33 count=1 2> /dev/null | base64 -w0`

    The output should look something like this: 

    EGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM

    Add the following line to the /etc/ipsec.secrets file. Be sure to use your own key, not this example. Notice that 0s is prepended to the shared key, this indicates the data is base64 encoded. 

    @qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
  3. Configure strongSwan
    4. Add the following lines to /etc/ipsec.conf 
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2

conn qs-client1
        authby=secret
        left=192.168.0.2
        leftid=@qs1.example.net
        leftfirewall=yes
        right=192.168.0.3
        rightid=@client1.example.net
        type=transport
        auto=start
  4. Restart strongSwan
    5. service ipsec restart

Here are the steps that need to be run on the client box as root

  1. Install strongSwan
    2. apt-get update
apt-get install strongswan
  2. Configure shared key
    3. Copy the same line from the QuantaStor box into /etc/ipsec.secrets. 
    @qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
  3. Configure strongSwan
    4. Add the following lines to /etc/ipsec.conf. Note, the only change from the QuantaStor config is the left and right settings are swapped. 
    conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2

conn qs-client1
        authby=secret
        left=192.168.0.3
        leftid=@client1.example.net
        leftfirewall=yes
        right=192.168.0.2
        rightid=@qs1.example.net
        type=transport
        auto=start
  4. Restart strongSwan
    5. service ipsec restart

Start the connection, this can be run from either system. 

ipsec up qs-client1

At this point all traffic between the two hosts will be encrypted. You can check the status of the connection by running ipsec status 

root@qs1:~# ipsec status
Security Associations:
   qs-client1[22]: ESTABLISHED 34 minutes ago, 192.168.0.3[client1.example.net]...192.168.0.2[qs1.example.net]
   qs-client1{22}:  INSTALLED, TRANSPORT, ESP SPIs: c810bccf_i c23fb4e7_o
   qs-client1{22}:   192.168.0.3/32 === 192.168.0.2/32 
   qs-client1{23}:  INSTALLED, TRANSPORT, ESP SPIs: c551892c_i c4a28aac_o
   qs-client1{23}:   192.168.0.3/32 === 192.168.0.2/32
Retrieved from "https://wiki.osnexus.com/index.php?title=IPSec&oldid=5488"