Linux IPSEC
Quick overview of testing IPSEC under Linux RH8
Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS).
Goal: Mesh CA based solution that protects against MiTM attacks.
Target: RedHat systems, but should work for any Linux varianet
Solution:
Create CA and Certs
#Install certutil and ipsec #Create CA/certs in the DB directory #CA Name, anything you want CA=BastionCA #Validatity dats VALID=120 rm -rf db mkdir db mkdir exportedcerts certutil -N -d sql:./db #certsigning/crlsighning might not be needed certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage certSigning,crlSigning #Your hosts, probably FQDN for HOST in host1 host2 host3 do #Get some entropy rather then use a keyboard dd if=/dev/urandom of=urandom count=10 IP=`getent hosts $HOST| awk '{ print $1 }'` certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom #Export the cert w/o a password pk12util -o exportedcerts/$HOST.p12 -n $HOST -d ./db/ -W '' #Push it to the root directory and install it scp exportedcerts/$HOST.p12 root@$HOST: #Delete and recreate all the ipsec associations/data, install this cert and then rename it do mynode so that all certs can have the same config file ssh $HOST "rm /etc/ipsec.d/*.db;ipsec initnss; pk12util -i $HOST.p12 -d sql:/etc/ipsec.d/ -W '' ;certutil --rename -n $HOST --new-n 'thisnode' -d /etc/ipsec.d "
Config file should usually be installed in /etc/ipsec.d/geoconf.conf (or any random name)
IPSEC config file
conn clear auto=ondemand type=passthrough authby=never left=%defaultroute right=%group conn private auto=ondemand type=transport authby=rsasig ikev2=insist failureshunt=drop negotiationshunt=drop fragmentation=yes left=%defaultroute leftcert=thisnode leftsendcert=always leftrsasigkey=%cert #Dynamic connection right=%opportunisticgroup #If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP #LEAVE THIS COMMENTED OUT #rightid=%fromcert #For simplicity just need to be the same CA rightca=%same rightrsasigkey=%cert # support Apple and Windows at the same time ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048 #AH mode #phase2=AH #ah=aes_xcbc ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher esp=aes_gcm256-null
Configure the /etc/ipsec.d/polciies/private file (private=== conn private above)
Selector File
/etc/ipsec.d/policies/private: # encrypt all smtp traffic to some host # 10.0.1.0/24 tcp 0 25 # encrypt all incoming smtp traffic # 0.0.0.0/0 tcp 25 0 #146.6.192.149/32 #Encrypyt all connection so this host: 129.116.112.207/32 /etc/ipsec.d/policies/clear: # don't IPsec encrypt any incoming ssh #This could be a issue if the bad person sources NFS traffic from port 22 0.0.0.0/0 tcp 22 0 0.0.0.0/0 tcp 0 22
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.