Linux IPSEC

Owned by
David Spindler
Last updated: Jun 02, 2023
2 min read

Quick overview of testing IPSEC under Linux RH8


Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS). 

Goal: Mesh CA based solution that protects against MiTM attacks. 

Target: RedHat systems, but should work for any Linux varianet

Solution:


Create CA and Certs
#Install certutil and ipsec
#Create CA/certs in the DB directory
#CA Name, anything you want
CA=BastionCA
#Validatity dats
VALID=120
rm -rf db
mkdir db
mkdir exportedcerts
certutil -N -d sql:./db
#certsigning/crlsighning might not be needed
certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage  certSigning,crlSigning

#Your hosts, probably FQDN
for HOST in host1 host2 host3 
do
	#Get some entropy rather then use a keyboard
    dd if=/dev/urandom of=urandom count=10
  	IP=`getent hosts $HOST| awk '{ print $1 }'`
	certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom
	#Export the cert w/o a password
 	pk12util -o exportedcerts/$HOST.p12 -n $HOST -d ./db/ -W ''
	#Push it to the root directory and install it
  	scp exportedcerts/$HOST.p12 root@$HOST:
	#Delete and recreate all the ipsec associations/data, install this cert and then rename it do mynode so that all certs can have the same config file
	ssh $HOST "rm /etc/ipsec.d/*.db;ipsec initnss; pk12util -i $HOST.p12 -d sql:/etc/ipsec.d/ -W '' ;certutil --rename -n $HOST --new-n 'thisnode' -d /etc/ipsec.d "


Config file should usually be installed in /etc/ipsec.d/geoconf.conf (or any random name)


IPSEC config file
conn clear
        auto=ondemand
        type=passthrough
        authby=never
        left=%defaultroute
        right=%group

conn private
    auto=ondemand
    type=transport
    authby=rsasig
    ikev2=insist
    failureshunt=drop
    negotiationshunt=drop
    fragmentation=yes

    left=%defaultroute
    leftcert=thisnode
    leftsendcert=always
    leftrsasigkey=%cert

	#Dynamic connection
    right=%opportunisticgroup

    #If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP 
	#LEAVE THIS COMMENTED OUT
	#rightid=%fromcert
	#For simplicity just need to be the same CA
    rightca=%same
    rightrsasigkey=%cert
    # support Apple and Windows at the same time
    ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048
	#AH mode
    #phase2=AH
    #ah=aes_xcbc
    ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher
 	esp=aes_gcm256-null


Configure the /etc/ipsec.d/polciies/private  file (private=== conn private above)

Selector File
/etc/ipsec.d/policies/private:
# encrypt all smtp traffic to some host
#  10.0.1.0/24  tcp  0  25
# encrypt all incoming smtp traffic
#  0.0.0.0/0  tcp  25  0
#146.6.192.149/32
#Encrypyt all connection so this host:
129.116.112.207/32


/etc/ipsec.d/policies/clear:
# don't IPsec encrypt any incoming ssh
#This could be a issue if the bad person sources NFS traffic from port 22
0.0.0.0/0  tcp  22  0
0.0.0.0/0  tcp  0 22



Confluence Documentation | Web Privacy Policy | Web Accessibility