Difference between revisions of "IPSEC"
Jump to navigation
Jump to search
(Created page with "== Package Installation == apt-get install openswan openswan-doc == sysctl variables == This should be added to /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv…") |
|||
| Line 20: | Line 20: | ||
== Turn on Opportunistic Encryption == |
== Turn on Opportunistic Encryption == |
||
Find the "'''<code>oe=off</code>'''" line in the setup section of /etc/ipsec.conf. Change it to read "'''<code>oe=on</code>'''". Restart the IPSEC daemons '''<code>/etc/init.d/ipsec restart</code>'''. |
Find the "'''<code>oe=off</code>'''" line in the setup section of /etc/ipsec.conf. Change it to read "'''<code>oe=on</code>'''". Restart the IPSEC daemons '''<code>/etc/init.d/ipsec restart</code>'''. |
||
| + | |||
| + | == Build the required kernel modules == |
||
| + | (This should've been done '''before''' we tried to fire up pluto, the IKE daemon.) |
||
Latest revision as of 23:52, 22 September 2012
Package Installation
apt-get install openswan openswan-doc
sysctl variables
This should be added to /etc/sysctl.conf:
net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0
Followed by:
sysctl -p /etc/sysctl.conf
Key records in DNS for opportunistic encryption
Add the output of
ipsec showhostkey --txt @yesdear.fnord.greeley.co.us
to your DNS zones. This would be better with DNSSEC turned on, but that isn't a requirement. (Without DNSSEC, a malicious DNS server could provide you with a bogus host key, and impersonate your communications partner.)
This procedure needs to be repeated for the reverse lookup zones as well.
Turn on Opportunistic Encryption
Find the "oe=off" line in the setup section of /etc/ipsec.conf. Change it to read "oe=on". Restart the IPSEC daemons /etc/init.d/ipsec restart.
Build the required kernel modules
(This should've been done before we tried to fire up pluto, the IKE daemon.)