IPSEC

From FnordWiki
Jump to navigation Jump to search

Package Installation

apt-get install openswan openswan-doc

sysctl variables

This should be added to /etc/sysctl.conf: 

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

Followed by: 

sysctl -p /etc/sysctl.conf

Key records in DNS for opportunistic encryption

Add the output of 

ipsec showhostkey --txt @yesdear.fnord.greeley.co.us

to your DNS zones. This would be better with DNSSEC turned on, but that isn't a requirement. (Without DNSSEC, a malicious DNS server could provide you with a bogus host key, and impersonate your communications partner.)

This procedure needs to be repeated for the reverse lookup zones as well.

Turn on Opportunistic Encryption

Find the "oe=off" line in the setup section of /etc/ipsec.conf. Change it to read "oe=on". Restart the IPSEC daemons /etc/init.d/ipsec restart.

Build the required kernel modules

(This should've been done before we tried to fire up pluto, the IKE daemon.)

Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=IPSEC&oldid=216"