Securing peer connections using IPSec
{width=”240”
height=”180”}\ If some application or transport protocol doesn’t specify a way to encrypt it’s contents, it might be still enough to encrypt a lower layer.\ \ IPSec is a way to encrypt IP packets (actually it is an alternative to IP).\ \ The script after the break can be used to secure a connection - like an RTSP stream - between two peers using a pre shared key (psk).\ []{#more}I updated the script to fix the permissions of psk.txt and a comment on how to remove the SPDs afterwards.\ There we go:\
#!/bin/bash
# Use IPs - if names are used the psk.txt generation needs to be fixed.
LOCAL=$1
REMOTE=$2
PSK=$3
echo "Securing connection from $LOCAL to $REMOTE."
echo "Ensure to run this script on the remote side too."
echo "Present SAD and SPD entries will be flushed."
# Flush
/sbin/setkey -FP
# Add new entries
/sbin/setkey -c flush;
spdflush;
spdadd -4 $LOCAL $REMOTE any -P out ipsec esp/transport//require;
spdadd -4 $REMOTE $LOCAL any -P in ipsec esp/transport//require;
EOF
# Open ports
for POR in 500 4500; do
for PRO in tcp udp; do
iptables -I INPUT -p $PRO --dport $POR -j ACCEPT
iptables -I INPUT -p $PRO --dport $POR -j ACCEPT
done; done
# Create psk.txt
echo "$REMOTE $PSK" > psk.txt
# Create racoon.conf
cat racoon.conf
log info;
path pre_shared_key "psk.txt";
remote anonymous
{
exchange_mode main;
lifetime time 2 min; # sec,min,hour
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
lifetime time 10 min;
encryption_algorithm aes, 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha512, hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
padding
{
randomize on;
randomize_length on;
}
EOF
# Fix mode
chmod u=rw,go= psk.txt
# Run racoon
racoon -F -v -f racoon.conf
# Use setkey -FP to clean up the SPDs afterwards
::: {#footer} [ November 24th, 2011 10:24pm ]{#timestamp} [ipsec]{.tag} [racoon]{.tag} [fedora]{.tag} [presence]{.tag} :::