This document summarizes transport layer security (TLS) and internet protocol security (IPSec) options for securing communications in Linux. It describes various user-mode and kernel-mode TLS and IPSec implementations like SSH, OpenVPN, WireGuard etc. The document then focuses on IPSec, explaining its architecture, configuration using setkey and racoon, and troubleshooting IPSec issues. It concludes by introducing an Ansible role for automating and simplifying IPSec configuration.
6. Transport Security in Linux
Solution Performance Authentication Configuration Availability
SSH tunnel User mode Pubkey Local port Common
Stunnel User mode Pubkey Local port Common
OpenVPN User mode Pubkey Network Common
Tinc User mode Pubkey Network Common
WireGuard Kernel PSK Network DKMS
IPSec Kernel PSK or Pubkey Network Common
TLS User mode Pubkey Local port Common
28. IPSec configuration in Linux
● SPD (Security Policy Database)
– “Traffic from A to B must be encrypted”
– ”Traffic from A to C may be compressed and encrypted”
– “Traffic from A to D goes in plaintext”
● SAD (Security Association Database)
– “How to encrypt data from A to B”
● So you need two SA for bidirectional traffix
– Keys
● AES-CBC-128 (encryption)
● HMAC-SHA256 (authentication & integrify)
– SPI (unique SA identifier)
– Sequence number, mode, replay protection, expiration date & bytes...
31. Implementation
● SPD populated by administrator
– # setkey -f /etc/ipsec-tools.conf
● SAD populated either by
– Administrator (manual keying)
● Also /etc/ipsec-tools.conf
– Racoon daemon (IKE keying)
● /etc/racoon/racoon.conf
● /etc/racoon/psk.txt
● Can also use X.509 certificates
32. /etc/ipsec-tools.conf
Note:
● Two entries needed because SA is unidirectional
● “transport” mode (the other could be “tunnel”)
● “use” opportunistic policy (as opposed to “require”)
34. More SPD fun
Note:
● You can disable IPSec for particular protocol, hosts or ports
● Four SSH lines because it can be initiated from either host
● ...and SA are unidirectional
35. More SPD fun
Note:
● You can stack SPD transforms
● IPCOMP is IPSec unencrypted compression
● We then wrap IPCOMP inside ESP
37. IKE operations
● You define SPD and hint Racoon on identity of peers
● “Kernel, you must encrypt traffic to X”
● “Racoon, X is identified by this PSK”
● Kernel tries to send packet to X
● Hits SPD
● First time
● Sends request to Racoon to populate SAD
● Racoon talks to the other Racoon, exchange keys
● Pick up entry for X from SAD
● Encrypt and send packet
40. Rekeying
With Racoon – it just happens
In manual mode
● Need to periodically delete old, create new SA
● Keys defined down to actual hex strings
● Short-term, rekey daily
44. SPD not populated
● Causes
– Syntax errors in ipsec-tools.conf
– IP address mismatch
– Setkey not called after reboot
● Consequences
– Traffic flows unencrypted
– Receive unexpected ESP traffic
45. SAD not populated
● Causes
– Racoon not running
– Racoon fails to establish IKE SA
– Keys mismatch in ‘setkey’ mode
● Consequences
– SPD cannot find matching SA
– Traffic flows unencrypted if policy is /use
– Traffic dropped if policy is /require
46. Other issues
● Have you checked your firewall?
● Assymetric mismatch
– Side A requires ESP, side B flushed
– Side A refreshed SA, side B didn’t
● seq out of sync
● MTU in tunnel mode
– ip set dev eth0 mtu 1492
47. IKE failures
● Causes
– Racoon PSK mismatch
– Missing remote section for a host
– IP mismatch in remote
– Mismatch my_identifier peers_identifier
● Debugging
– # journalctl -f -u racoon
49. “kravietz.ipsec” role
● IPSec configuration is
– Repetitive
– Sensitive to typos and mismatches
– Difficult to write manually
● Ansible is a perfect solution for this scenario
● Ansible Galaxy role
– https://github.com/kravietz/ansible-ipsec
53. Health & safety
● Atomic playbook runs
– Prevents partial runs, “unpaired” ESP and IKE
● Secret management
– Use ansible-vault or other suitable solutions