I’ve previously blogged about IPSec on RedHat and mentioned how great the ifcfg scripts are to get IPSec VPNs going.
In that post I used a pre-shared key to start the VPNs, that was fine then but now I need something a bit better. IPSec supports the standard PKI infrastructure and the RedHat scripts support those too. Their use though isn’t well documented so here is what I found through investigation.
First you’ll need a CA. The CA should be used to self sign your certificates and every node needs one matching their Common Name. You also need a CRL and the CA certificate on all the machines. How you go about making a CA is a bit out of scope for this post, there are many options out there like TinyCA.
The complexity comes in how to install these certificates into the Racoon directory as it depends on very specific file names.
Given the RedHat interface config script below that can be saved in /etc/sysconfig/network-scripts/ifcfg-ipsec.remote.host.net:
DST=1.2.3.4 TYPE=IPSEC ONBOOT=yes IKE_CERTFILE=/etc/racoon/certs/host.cert |
You need to have the following files installed:
- /etc/racoon/certs/host.cert.private – The private key part of your certificate – without a passphrase so it needs secure permissions
- /etc/racoon/certs/host.cert.public – The public part of the host certificate
- /etc/racoon/certs/a63b58d3.0 – The Certificate Authority certificate – more on the name below
- /etc/racoon/certs/a63b58d3.r0 – The CRL from the CA – more on the name below
This first 2 are simple, you can replace host.cert with anything as long as they match with what is in the interface config script. The .private and .public parts should not be changed.
The last two are a bit more tricky. You’ll get the CA certificate and CRL from your CA you then need to calculate the hash from the CA certificate:
# openssl x509 -hash -noout -in ca.pem
a63b58d3 |
Use the hash you obtained from that and name both your CA cert and the CRL according to this.
When the VPN gets brought up it will validate the certificates on both ends against the CA and the CRL. So you can easily invalidate connections by just adding them to the CRL and you know only certs signed by your own CA can connect to the IPSec server.
Just like certificates the CRL has a validity you should monitor this since if your CRL is invalid no VPNs will be established. I have published a Nagios check that I use to monitor both CRLs and Certificates here.
You still need to be pretty careful about who has access to your certs since you cannot through the simple scripts limit which Common Names can connect to the server and you should still firewall your ISAKMP port (udp/500) to allow only your trusted networks to communicate with the server.
