Paweł Krawczyk
Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.
6. Transport Security in Linux
Solution Performance Authentication Configuration Availability
SSH tunnel User mode Pubkey Local port Common
Stunnel User mode Pubkey Local port Common
OpenVPN User mode Pubkey Network Common
Tinc User mode Pubkey Network Common
WireGuard Kernel PSK Network DKMS
IPSec Kernel PSK or Pubkey Network Common
TLS User mode Pubkey Local port Common
28. IPSec configuration in Linux
SPD (Security Policy Database)
“Traffic from A to B must be encrypted”
”Traffic from A to C may be compressed and encrypted”
“Traffic from A to D goes in plaintext”
SAD (Security Association Database)
“How to encrypt data from A to B”
So you need two SA for bidirectional traffix
Keys
AES-CBC-128 (encryption)
HMAC-SHA256 (authentication & integrify)
SPI (unique SA identifier)
Sequence number, mode, replay protection, expiration date & bytes...
31. Implementation
SPD populated by administrator
# setkey -f /etc/ipsec-tools.conf
SAD populated either by
Administrator (manual keying)
Also /etc/ipsec-tools.conf
Racoon daemon (IKE keying)
/etc/racoon/racoon.conf
/etc/racoon/psk.txt
Can also use X.509 certificates
32. /etc/ipsec-tools.conf
Note:
Two entries needed because SA is unidirectional
“transport” mode (the other could be “tunnel”)
“use” opportunistic policy (as opposed to “require”)
34. More SPD fun
Note:
You can disable IPSec for particular protocol, hosts or ports
Four SSH lines because it can be initiated from either host
...and SA are unidirectional
35. More SPD fun
Note:
You can stack SPD transforms
IPCOMP is IPSec unencrypted compression
We then wrap IPCOMP inside ESP
37. IKE operations
You define SPD and hint Racoon on identity of
peers
“Kernel, you must encrypt traffic to X”
“Racoon, X is identified by this PSK”
Kernel tries to send packet to X
Hits SPD
First time
Sends request to Racoon to populate SAD
Racoon talks to the other Racoon, exchange keys
Pick up entry for X from SAD
40. Rekeying
With Racoon – it just happens
In manual mode
Need to periodically delete old, create new
SA
Keys defined down to actual hex strings
Short-term, rekey daily
44. SPD not populated
Causes
Syntax errors in ipsec-tools.conf
IP address mismatch
Setkey not called after reboot
Consequences
Traffic flows unencrypted
Receive unexpected ESP traffic
45. SAD not populated
Causes
Racoon not running
Racoon fails to establish IKE SA
Keys mismatch in ‘setkey’ mode
Consequences
SPD cannot find matching SA
Traffic flows unencrypted if policy is /use
Traffic dropped if policy is /require
46. Other issues
Have you checked your firewall?
Assymetric mismatch
Side A requires ESP, side B flushed
Side A refreshed SA, side B didn’t
seq out of sync
MTU in tunnel mode
ip set dev eth0 mtu 1492
47. IKE failures
Causes
Racoon PSK mismatch
Missing remote section for a host
IP mismatch in remote
Mismatch my_identifier peers_identifier
Debugging
# journalctl -f -u racoon
49. “kravietz.ipsec” role
IPSec configuration is
Repetitive
Sensitive to typos and mismatches
Difficult to write manually
Ansible is a perfect solution for this scenario
Ansible Galaxy role
https://github.com/kravietz/ansible-ipsec
53. Health & safety
Atomic playbook runs
Prevents partial runs, “unpaired” ESP and IKE
Secret management
Use ansible-vault or other suitable solutions