Network Security Hacks [Electronic resources] نسخه متنی

Hack 71 Opportunistic Encryption with FreeS/WAN

Use FreeS/WAN and DNS TXT records to
automatically create encrypted connections between
machines.

One

particularly cool
feature [Hack #67]
is opportunistic encryption with other hosts running
FreeS/WAN. This
allows FreeS/WAN to transparently encrypt
traffic between all hosts that also support
opportunistic encryption. To do this, each host must have a public key
generated to use with FreeS/WAN. This key can then be stored in a
DNS TXT record for that
host. When a host that is set up for
opportunistic encryption wishes to initiate an encrypted connection
with another host, it will look up the host's public
key through DNS and use it to initiate the connection.

To begin, you'll need to generate a key for each
host that you want to use this feature with.
You can do that by running this command:

# ipsec newhostkey --output /tmp/`hostname`.key

Now you'll need to add the contents of the file that
was created by that command to
/etc/ipsec.secrets:

# cat /tmp/`hostname`.key >> /etc/ipsec.secrets

Next, you'll need to generate a
TXT record to put into your DNS
zone. You can do this by running a
command similar to this one:

# ipsec showhostkey --txt @colossus.nnc
; RSA 2192 bits   colossus   Mon Jan 12 03:02:07 2004
IN      TXT     "X-IPsec-Server(10)=@colossus.nnc" " 
AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/
PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/
pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/
MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf
qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI" 
"8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/
L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"

Now add this record to your zone and reload it.
You can verify that DNS is working correctly by running
this command:

# ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path                             [OK]
Checking for KLIPS support in kernel                        [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
DNS checks. 
Looking for TXT in forward map: colossus                    [OK]
Does the machine have at least one non-private address      [OK]

Now just restart FreeS/WAN by running a command
similar to this:

# /etc/init.d/ipsec restart

You should now be able to connect to any other host that supports
opportunistic encryption. But what
if other hosts want to connect to you?
To allow this, you'll need to create a
TXT record for your machine in your reverse DNS zone.

You can generate the record by running a command similar to this:

# ipsec showhostkey --txt 192.168.0.64
; RSA 2192 bits   colossus   Tue Jan 13 03:02:07 2004
IN      TXT     "X-IPsec-Server(10)=192.168.0.64" " 
AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/
PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/
pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/
MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf
qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI" 
"8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/
L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"

Add this record to the reverse zone for your subnet, and other
machines will be able to initiate opportunistic encryption with your
machine. With opportunistic
encryption in use, all traffic between the hosts will be
automatically encrypted, protecting all services
simultaneously. Pretty neat, huh?