I’ve had the miss-fortune of configuring IPSEC on many FreeBSD machines and other devices in the past and in all cases it’s been a pain, as a result I’ve been putting off securing connections between 3 machines that I knew needed IPSEC.
Last night I figured I may as well start looking at what is involved in building a star topology between the three hosts where comms between each node and each other node is encrypted. Turns out it could not possibly have been simpler.
This is well documented in the RedHat docs – RHEL 3, RHEL 4, RHEL 5 – but it’s worth repeating because it really is clean and simple and elegant.
Being that these are point-to-point tunnels it makes a lot of sense to see the connections as new network cards and this is the approach redhat took, simply create /etc/sysconfig/network-scripts/ifcfg-ipsecX files where X is any number. This is a sample:
DST=x.x.x.x TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK |
And do the same on your other host. Now create a pre-shared key in /etc/sysconfig/network-scripts/keys-ipsecX with file mode 600:
IKE_PSK=s3cret |
This key has to be the same on both hosts, run ifup ipsecX and it should negotiate, check /var/log/messages for diagnostics.
It is that easy, you can use tcpdump to verify that all is working good.
Under the covers the redhat scripts still use racoon and all the standard stuff, it creates files in /etc/racoon and you can use tools such as setkey etc to diagnose problems.
This is a simple p2p VPN, the RedHat docs shows how to do it on your gateway device – it’s as simple.