IPSec

From OSNEXUS Wiki
Jump to: navigation, search

Internet Protocol Security (IPsec)

IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). wikipedia

Host to Host Example

In this example we will use a pre-shared key to encrypt traffic between two hosts.

QuantaStor System
Name: qs1.example.net
Address: 192.168.0.2
Ubuntu Client
Name: client1.example.net
Address: 192.168.0.3

Setup

Here are the steps that need to be run on the QuantaStor system as root

  1. Install strongSwan
  2. apt-get update
    apt-get install strongswan
    
  3. Configure shared key
  4. The pre-shared key must be the same on both hosts. The pre-shared key is stored in the /etc/ipsec.secrets file. Our example uses a random string of characters for the key, however you can also use any string. If your string uses spaces, please enclose it in quotes.

    The following command will encode some random data which we will use as the shared key.

    echo `dd if=/dev/urandom bs=33 count=1 2> /dev/null | base64 -w0`
    

    The output should look something like this:

    EGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
    

    Add the following line to the /etc/ipsec.secrets file. Be sure to use your own key, not this example. Notice that 0s is prepended to the shared key, this indicates the data is base64 encoded.

    @qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
    
  5. Configure strongSwan
  6. Add the following lines to /etc/ipsec.conf

    conn %default
            ikelifetime=60m
            keylife=20m
            rekeymargin=3m
            keyingtries=1
            mobike=no
            keyexchange=ikev2
    
    conn qs-client1
            authby=secret
            left=192.168.0.2
            leftid=@qs1.example.net
            leftfirewall=yes
            right=192.168.0.3
            rightid=@client1.example.net
            type=transport
            auto=start
    
  7. Restart strongSwan
  8. service ipsec restart
    

Here are the steps that need to be run on the client box as root

  1. Install strongSwan
  2. apt-get update
    apt-get install strongswan
    
  3. Configure shared key
  4. Copy the same pre-shared key definition from the QuantaStor box into /etc/ipsec.secrets.

    @qs1.example.net @client1.example.net : PSK 0sEGme37ZWlkZTbaRsiSPVw7/n7QrSqt1a8qvpD704EbjM
    
  5. Configure strongSwan
  6. Add the following lines to /etc/ipsec.conf. Note, the only change from the QuantaStor config is the left and right settings are swapped.

    conn %default
            ikelifetime=60m
            keylife=20m
            rekeymargin=3m
            keyingtries=1
            mobike=no
            keyexchange=ikev2
    
    conn qs-client1
            authby=secret
            left=192.168.0.3
            leftid=@client1.example.net
            leftfirewall=yes
            right=192.168.0.2
            rightid=@qs1.example.net
            type=transport
            auto=start
    
  7. Restart strongSwan
  8. service ipsec restart
    

Start the connection, this can be run from either system.

ipsec up qs-client1

At this point all traffic between the two hosts will be encrypted. You can check the status of the connection by running ipsec status

root@qs1:~# ipsec status
Security Associations:
   qs-client1[22]: ESTABLISHED 34 minutes ago, 192.168.0.3[client1.example.net]...192.168.0.2[qs1.example.net]
   qs-client1{22}:  INSTALLED, TRANSPORT, ESP SPIs: c810bccf_i c23fb4e7_o
   qs-client1{22}:   192.168.0.3/32 === 192.168.0.2/32 
   qs-client1{23}:  INSTALLED, TRANSPORT, ESP SPIs: c551892c_i c4a28aac_o
   qs-client1{23}:   192.168.0.3/32 === 192.168.0.2/32