Quick overview of testing IPSEC under Linux RH8
Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS).
Goal: Mesh CA based solution that protects against MiTM attacks.
Target: RedHat systems, but should work for any Linux varianet
Solution:
Code Block | ||||
---|---|---|---|---|
| ||||
#Install certutil and ipsec
#Create CA/certs in the DB directory
#CA Name, anything you want
CA=BastionCA
#Validatity dats
VALID=120
rm -rf db
mkdir db
mkdir exportedcerts
certutil -N -d sql:./db
#certsigning/crlsighning might not be needed
certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage certSigning,crlSigning
#Your hosts, probably FQDN
for HOST in host1 host2 host3
do
#Get some entropy rather then use a keyboard
dd if=/dev/urandom of=urandom count=10
IP=`getent hosts $HOST| awk '{ print $1 }'`
certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom
#Export the cert w/o a password
pk12util -o exportedcerts/$HOST.p12 -n $HOST -d ./db/ -W ''
#Push it to the root directory and install it
scp exportedcerts/$HOST.p12 root@$HOST:
#Delete and recreate all the ipsec associations/data, install this cert and then rename it do mynode so that all certs can have the same config file
ssh $HOST "rm /etc/ipsec.d/*.db;ipsec initnss; pk12util -i $HOST.p12 -d sql:/etc/ipsec.d/ -W '' ;certutil --rename -n $HOST --new-n 'thisnode' -d /etc/ipsec.d "
|
Config file should usually be installed in /etc/ipsec.d/geoconf.conf (or any random name)
Code Block | ||||
---|---|---|---|---|
| ||||
conn clear
auto=ondemand
type=passthrough
authby=never
left=%defaultroute
right=%group
conn private
auto=ondemand
type=transport
authby=rsasig
ikev2=insist
failureshunt=drop
negotiationshunt=drop
fragmentation=yes
left=%defaultroute
leftcert=thisnode
leftsendcert=always
leftrsasigkey=%cert
#Dynamic connection
right=%opportunisticgroup
#If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP
#LEAVE THIS COMMENTED OUT
#rightid=%fromcert
#For simplicity just need to be the same CA
rightca=%same
rightrsasigkey=%cert
# support Apple and Windows at the same time
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048
#AH mode
#phase2=AH
#ah=aes_xcbc
ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher
esp=aes_gcm256-null |
Configure the /etc/ipsec.d/polciies/private file (private=== conn private above)
Code Block | ||
---|---|---|
| ||
/etc/ipsec.d/policies/private:
# encrypt all smtp traffic to some host
# 10.0.1.0/24 tcp 0 25
# encrypt all incoming smtp traffic
# 0.0.0.0/0 tcp 25 0
#146.6.192.149/32
#Encrypyt all connection so this host:
129.116.112.207/32
/etc/ipsec.d/policies/clear:
# don't IPsec encrypt any incoming ssh
#This could be a issue if the bad person sources NFS traffic from port 22
0.0.0.0/0 tcp 22 0
0.0.0.0/0 tcp 0 22
|