Quick overview of testing IPSEC under Linux RH8
Looking for a solution to prevent MiTM attacks against services that use IP address based trust (for example NFS).
Goal: Mesh CA based solution that protects against MiTM attacks.
Target: RedHat systems, but should work for any Linux varianet
Solution:
Create CA and Certs
#Install certutil and ipsec #Create CA/certs in the DB directory #CA Name, anything you want CA=BastionCA #Validatity dats VALID=120 rm -rf db mkdir db mkdir exportedcerts certutil -N -d sql:./db #certsigning/crlsighning might not be needed certutil -S -x -n "$CA" -s "O=EDU,O=UTEXAS,O=GEO,CN=$CA" -k rsa -g 4096 -v $VALID -d ./db/ -t "CT,," -2 --keyUsage certSigning,crlSigning #Your hosts, probably FQDN for HOST in host1 host2 host3 do #Get some entropy rather then use a keyboard dd if=/dev/urandom of=urandom count=10 IP=`getent hosts $HOST| awk '{ print $1 }'` certutil -S -c "$CA" -n HOST -s "O=EDU,O=UTEXAS,O=GEO,CN=$HOST" -k rsa -g 4096 -v $VALID -d ./db/ -t ",," --keyUsage "keyEncipherment,nonRepudiation,digitalSignature" --extKeyUsage "serverAuth,clientAuth" --extSAN "ip:$IP,dns:$HOST " -z ./urandom #Export the cert w/o a password pk12util -o exportedcerts/$HOST.p12 -n $HOST -d ./db/ -W '' #Push it to the root directory and install it scp exportedcerts/$HOST.p12 root@$HOST: #Delete and recreate all the ipsec associations/data, install this cert and then rename it do mynode so that all certs can have the same config file ssh $HOST "rm /etc/ipsec.d/*.db;ipsec initnss; pk12util -i $HOST.p12 -d sql:/etc/ipsec.d/ -W '' ;certutil --rename -n $HOST --new-n 'thisnode' -d /etc/ipsec.d "
Config file should usually be installed in /etc/ipsec.d/geoconf.conf (or any random name)
IPSEC config file
conn clear auto=ondemand type=passthrough authby=never left=%defaultroute right=%group conn private auto=ondemand type=transport authby=rsasig ikev2=insist failureshunt=drop negotiationshunt=drop fragmentation=yes left=%defaultroute leftcert=thisnode leftsendcert=always leftrsasigkey=%cert #Dynamic connection right=%opportunisticgroup #If you set the rightid then any valid cert will work. By not setting the rightid we ensure the id is the host which is the IP #LEAVE THIS COMMENTED OUT #rightid=%fromcert #For simplicity just need to be the same CA rightca=%same rightrsasigkey=%cert # support Apple and Windows at the same time ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048 #AH mode #phase2=AH #ah=aes_xcbc ESP Mode aes_gcm256-null seems to be the recommended and fastest cypher esp=aes_gcm256-null