IPSec
Internet Protocol Security (IPsec)
IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). wikipedia
Host to Host Example
In this example we will use a pre-shared key to encrypt traffic between two hosts.
QuantaStor System Name: qs1.example.net Address: 192.168.0.2
Ubuntu Client Name: client1.example.net Address: 192.168.0.3
Setup
Here are the steps that need to be run on the QuantaStor system as root
- Install strongSwan
- Configure shared key The pre-shared key must be the same on both hosts. The pre-shared key is stored in the /etc/ipsec.secrets file. Our example uses a random string of characters for the key, however you can also use any string. If your string uses spaces, please enclose it in quotes. The following command will encode some random data which we will use as the shared key.
- Configure strongSwan Add the following lines to /etc/ipsec.conf
- Restart strongSwan
apt-get update apt-get install strongswan
echo `dd if=/dev/urandom bs=33 count=1 2> /dev/null | base64 -w0`
The output should look something like this:
EGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
Add the following line to the /etc/ipsec.secrets file. Be sure to use your own key, not this example. Notice that 0s is prepended to the shared key, this indicates the data is base64 encoded.
@qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2
conn qs-client1
authby=secret
left=192.168.0.2
leftid=@qs1.example.net
leftfirewall=yes
right=192.168.0.3
rightid=@client1.example.net
type=transport
auto=start
service ipsec restart
Here are the steps that need to be run on the client box as root
- Install strongSwan
- Configure shared key Copy the same pre-shared key definition from the QuantaStor box into /etc/ipsec.secrets.
- Configure strongSwan Add the following lines to /etc/ipsec.conf. Note, the only change from the QuantaStor config is the left and right settings are swapped.
- Restart strongSwan
apt-get update apt-get install strongswan
@qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2
conn qs-client1
authby=secret
left=192.168.0.3
leftid=@client1.example.net
leftfirewall=yes
right=192.168.0.2
rightid=@qs1.example.net
type=transport
auto=start
service ipsec restart
Start the connection, this can be run from either system.
ipsec up qs-client1
At this point all traffic between the two hosts will be encrypted. You can check the status of the connection by running ipsec status
root@qs1:~# ipsec status
Security Associations:
qs-client1[22]: ESTABLISHED 34 minutes ago, 192.168.0.3[client1.example.net]...192.168.0.2[qs1.example.net]
qs-client1{22}: INSTALLED, TRANSPORT, ESP SPIs: c810bccf_i c23fb4e7_o
qs-client1{22}: 192.168.0.3/32 === 192.168.0.2/32
qs-client1{23}: INSTALLED, TRANSPORT, ESP SPIs: c551892c_i c4a28aac_o
qs-client1{23}: 192.168.0.3/32 === 192.168.0.2/32