Posted by
michael
on from the lock-stock-and-barrel dept.
LiquidPC writes: "The folks over at ONLamp have a new article which discusses IP security, including details on setting up Internet Key Exchange,
policies, and using racoon."
Pre Shared Keys are step 1. Next: Public Keys
by
aphor
·
· Score: 5, Informative
Pre-Shared Keys are the first step in getting IPSec running, but it really doesn't fulfil the role that IPSec was intended for: securing rlogin/rsh/rcp, ftp, etc. on an ad-hoc basis using the Transport Mode AH/ESP.
For that you want to set up "Transport Mode" (as opposed to Tunnel mode) IPSec policies, and you don't want to use pre-shared-keys (ie. that must be kept in sync on both ends of any IPSec connection).
What you want to do is use OpenSSL or the SSL certificate utilities that come with Apache-SSL (or is it mod-ssl?) to make a Certificate Authority (CA) key pair for yourself. You want to keep those on removable media; don't leave them laying around on some hard-drive. Then, (this is a repeated-per-host step) use the same utilities and your new CA to make keys and x509 certificates for each of the computers' IP addresses that you intend to secure with IPSec. Trust me on this one: make sure you make keys for both IPv4 and IPv6 for each IP address that appears in netstat -rn output.
Setting hosts up for the public-keys you just made: You need to distribue a copy of the CA public key to each machine wherever your OpenSSL(1) configuration likes CA public keys. Put the host keys somewhere like/usr/local/etc/racoon/hostkeys and make sure only root (the racoon daemon) has access to the private keys. Your standard racoon.conf file will need a "path certificate" line that specifies your hostkeys directory as well as your systems' OpenSSL certificate areas. You should start doing these steps as part of any standard installation procedure if you have one.
Once you have keys set up on two hosts, set them up with IPSec policies to allow rlogin over authenticated ESP encrypted connections only. If you didn't set up keys (correctly), rlogin will be firewalled out by the IPSec policy. If you got it all right, you should be able to rlogin between the hosts.
man pages of interest:
openssl(1)
This is a couple of days' worth of homework if you're not already familliar. Also look at/etc/ssl/openssl.cnf (which should be fully customised as a prerequisite to this project).
Slashdot Mirror
Pre-Shared Keys are the first step in getting IPSec running, but it really doesn't fulfil the role that IPSec was intended for: securing rlogin/rsh/rcp, ftp, etc. on an ad-hoc basis using the Transport Mode AH/ESP.
For that you want to set up "Transport Mode" (as opposed to Tunnel mode) IPSec policies, and you don't want to use pre-shared-keys (ie. that must be kept in sync on both ends of any IPSec connection).
What you want to do is use OpenSSL or the SSL certificate utilities that come with Apache-SSL (or is it mod-ssl?) to make a Certificate Authority (CA) key pair for yourself. You want to keep those on removable media; don't leave them laying around on some hard-drive. Then, (this is a repeated-per-host step) use the same utilities and your new CA to make keys and x509 certificates for each of the computers' IP addresses that you intend to secure with IPSec. Trust me on this one: make sure you make keys for both IPv4 and IPv6 for each IP address that appears in netstat -rn output.
Setting hosts up for the public-keys you just made: You need to distribue a copy of the CA public key to each machine wherever your OpenSSL(1) configuration likes CA public keys. Put the host keys somewhere like /usr/local/etc/racoon/hostkeys and make sure only root (the racoon daemon) has access to the private keys. Your standard racoon.conf file will need a "path certificate" line that specifies your hostkeys directory as well as your systems' OpenSSL certificate areas. You should start doing these steps as part of any standard installation procedure if you have one.
Once you have keys set up on two hosts, set them up with IPSec policies to allow rlogin over authenticated ESP encrypted connections only. If you didn't set up keys (correctly), rlogin will be firewalled out by the IPSec policy. If you got it all right, you should be able to rlogin between the hosts.
man pages of interest:
This is a couple of days' worth of homework if you're not already familliar. Also look at
--- Nothing clever here: move along now...