Index of /log/2007/Jan

After setting up IPsec with pre-shared keys (in the previous post), I upgraded my setup to use X.509 certificates. This makes it possible to revoke keys (which makes it impossible to connect using those keys.. always nice if a machine gets compromised), and you'll get a key that's generated by something that knows how to generate secure keys (openssl), which is always better than a short 'human-generated' pre-shared key.

It's probably easiest to set up your own CA for this. You can do this by hand using the CA.pl file included with the openssl package, but it's easier to install the tinyca package, and create the certificates from there.

When you've generated a server key for every host you want to set up IPsec on, and exported the public CA certificate and a CRL, you should put the following things in /etc/racoon/certs:

1. The CA certificate (the same on all machines)
2. The CRL (the same on all machines)
3. The certificate (different on all hosts)
4. The private key (different on all hosts)

You should make sure the private key isn't encrypted. Racoon can't handle that yet. The easiest way to do this is to export the certificate/key pair from tinyca using the 'tar' option, then extract the files from the .tar file into the /etc/racoon/certs directory, and run openssl rsa -in my_key.pem -out my_key.pem on it, to remove the password from the key.

After this, you need to let racoon be able to find your CRL. This is done by giving it a filename that's identical to the CA certificate hash. You can do this by running the following command:

# ln -s yourca.crl `openssl x509 -noout -hash -in yourca-cacert.pem`.r0

Now all that's left is actually configuring racoon itself. You need to point it at the certificates you just installed, and have it verify the certificate the other side sends us. All the linked config does is check if it's signed by the same CA, and the signature hasn't been revoked. Check the racoon.conf manual page for more info on the config file format, and the possibility of stricter checks.

I've set up an IPsec tunnel between my network at home and my colocated server. This makes a few things easier: I can now connect to all my machines at home from my server without having to set up port forwarding first (using SSH, of course), and it'll always be encrypted, so if I wanted to, I could even use "unsafe" protocols over the internet. It also exercises the Padlock bits of my VIA C3 CPUs, which means there's almost no slowdown.

First, you have to determine a few things (the values I'll assume in this post are between parentheses):

• The server's (public) IP address (172.16.0.1)
• The client's (public) IP address (172.17.0.1)
• The network you want to use on the server side (10.0.1.0/24)
• The network you want to use on the client side (10.0.2.0/24; this should be a different network from the one on the server)

When you've figured those bits out, install Racoon (it's in the 'racoon' package). Racoon is an IKE daemon. It will listen on port 500 (UDP) for incoming requests and negotiate the keys and encryption methods to use on the IPsec (encrypted) link.

Then it's time to configure racoon. I chose the "old-fashioned" way (not using racoon-tool), because racoon-tool in 6.06LTS is too buggy for me. If you do it like this, you have to edit two files: /etc/racoon/racoon.conf and /etc/ipsec-tools.conf

On the server, you will need a configuration like these racoon.conf and ipsec-tools.conf files. You can read the racoon.conf and setkey manual pages to understand what they're doing.

The configuration files on the client are almost the same, but in the IPs and subnets are in reverse (racoon.conf, ipsec-tools.conf). There's one other difference: the client configuration contains passive off; while the server config contains passive on;. This means that the server will never initiate the connection, so the client will always have to do this first (sending one packet through the tunnel should be enough). If you want the server to be able to initiate the connection as well, you need to set passive to off there too.

After this, all you need to do is set up the shared key, and restart some services. After that, everything should work. Shared keys are configured in /etc/racoon/psk.txt, in the format identifier key. In our case, the identifier is the IP address (of the host we're connecting to), so on the server you put 172.17.0.1 yourkeyhere in there, and on the client you use 172.16.0.1 yourkeyhere.

Make sure both keys are identical, then execute the following commands, and everything should start working the moment you try to send the first packet over the network: /etc/init.d/racoon stop; /etc/init.d/setkey restart; /etc/init.d/racoon start

Please note that you shouldn't use simple words or sentences as a key. The pre-shared key is (afaik) the weakest part in the security of this setup. I'll explain how to use X.509 certificates instead of pre-shared keys in a later post.

If you're also doing firewalling or some kind of NAT on one of the IPsec endpoints, make sure you allow traffic with protocol 'esp' to the remote endpoint.

In the coming weeks I'll extend this with X.509 certificates and a "Roadwarrior" setup, which will allow clients without a known IP address (like travelers with a laptops) to connect.