Thursday, September 14, 2017

Encrypt your LAN with IPsec (OpenBSD)

Note: Your feedback is welcome. Please leave a comment at the bottom.


IPsec is often used for Virtual Private Networks (VPN) but can also be used between computers on a local network. IPsec provides encryption and authentication and prevents replay attacks

Some protocols are useful, but don't have great security, like NFS, NIS, and SNMP. You can run them securely if your LAN is secured with IPsec

OpenBSD supports IPsec natively as well as Internet Key Exchange (IKE) protocol version 1. OpenIKED supports IKEv2, but doesn't support transport mode, meaning it can only be used for VPNs, so we'll use IKEv1 here

Here's how to configure two computers to use IPsec to talk between them. We'll use public keys (without X.509 certificates, for simplicity)

Host ipsecone (10.0.2.4)


# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.4 to 10.0.2.5 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.5:/etc/isakmpd/local.pub 10.0.2.5 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host ipsectwo (10.0.2.5)


# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.5 to 10.0.2.4 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.4:/etc/isakmpd/local.pub 10.0.2.4 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd


Testing

On ipsecone, run # tcpdump host 10.0.2.5

On ipsectwo, run # ping 10.0.2.4

On ipsecone, you should see "esp" and "spi" in your tcpdump output

Logging

You can see IPsec / IKE log output at /var/log/daemon

No comments: