Thursday, November 24, 2011

Securing peer connections using IPSec


If some application or transport protocol doesn't specify a way to encrypt it's contents, it might be still enough to encrypt a lower layer.

IPSec is a way to encrypt IP packets (actually it is an alternative to IP).

The script after the break can be used to secure a connection - like an RTSP stream - between two peers using a pre shared key (psk).
I updated the script to fix the permissions of psk.txt and a comment on how to remove the SPDs afterwards.
There we go:

# Use IPs - if names are used the psk.txt generation needs to be fixed.

echo "Securing connection from $LOCAL to $REMOTE."
echo "Ensure to run this script on the remote side too."
echo "Present SAD and SPD entries will be flushed."

# Flush
/sbin/setkey -FP

# Add new entries
/sbin/setkey -c <<EOF
spdadd -4 $LOCAL $REMOTE any -P out ipsec esp/transport//require;
spdadd -4 $REMOTE $LOCAL any -P in ipsec esp/transport//require;

# Open ports
for POR in 500 4500; do
for PRO in tcp udp; do
  iptables -I INPUT -p $PRO --dport $POR -j ACCEPT
  iptables -I INPUT -p $PRO --dport $POR -j ACCEPT
done; done

# Create psk.txt
echo "$REMOTE $PSK" > psk.txt 

# Create racoon.conf
cat <<EOF > racoon.conf
log info;
path pre_shared_key "psk.txt";
remote anonymous
  exchange_mode main;
  lifetime time 2 min;   # sec,min,hour
  proposal_check obey;  # obey, strict or claim
  proposal {
          encryption_algorithm aes;
          hash_algorithm sha256;
          authentication_method pre_shared_key;
          dh_group 2;
sainfo anonymous
  lifetime time 10 min;
  encryption_algorithm aes, 3des, blowfish 448, rijndael ;
  authentication_algorithm hmac_sha512, hmac_sha1, hmac_md5 ;
  compression_algorithm deflate ;

  randomize on;
  randomize_length on;

# Fix mode
chmod u=rw,go= psk.txt

# Run racoon
racoon -F -v -f racoon.conf

# Use setkey -FP to clean up the SPDs afterwards

No comments:

Post a Comment