IPSEC

From FnordWiki
Revision as of 22:53, 22 September 2012 by Adj (talk | contribs) (Created page with "== Package Installation == apt-get install openswan openswan-doc == sysctl variables == This should be added to /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv…")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Package Installation

apt-get install openswan openswan-doc

sysctl variables

This should be added to /etc/sysctl.conf: 

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

Followed by: 

sysctl -p /etc/sysctl.conf

Key records in DNS for opportunistic encryption

Add the output of 

ipsec showhostkey --txt @yesdear.fnord.greeley.co.us

to your DNS zones. This would be better with DNSSEC turned on, but that isn't a requirement. (Without DNSSEC, a malicious DNS server could provide you with a bogus host key, and impersonate your communications partner.)

This procedure needs to be repeated for the reverse lookup zones as well.

Turn on Opportunistic Encryption

Find the "oe=off" line in the setup section of /etc/ipsec.conf. Change it to read "oe=on". Restart the IPSEC daemons /etc/init.d/ipsec restart.

Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=IPSEC&oldid=215"