IPsec

Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, because applications don't need to be designed to use IPsec, whereas the use of TLS/SSL or other higher-layer protocols must be incorporated into the design of an application.

Enabling IPsec support in the kernel

You must enable IPsec support in the kernel.

Start a kernel configuration tool, e.g.:

make -C packages/os/linux-2.6 menuconfig

Enable one or more of the available IPsec modes:

Networking  --->
  Networking options  --->
    [*] TCP/IP networking
      < >   IP: IPsec transport mode
      < >   IP: IPsec tunnel mode
      < >   IP: IPsec BEET mode

HW accelerated encryption and decryption

ETRAX FS has a built-in crypto accelerator that can be utilized in IPsec. To enable the necessary driver you must make sure the old crypto accelerator driver is diabled:

Drivers for built-in interfaces --->
  [ ] Stream co-processor driver enabled

Enable the new crypto accelerator driver:

Cryptographic API --- >
  Hardware crypto devices --->
    [*] Support for ETRAX hardware crypto acceleration

Exit and save the new kernel configuration.

Including the OpenSwan user space tools

You also need to include the OpenSwan user space tools1).

make menuconfig
Network Configuration  --->
  Network Protocol Configuration  --->
    [*] Enable IPSEC support using OpenSwan
    [ ]   Build the OpenSwan IPSEC stack (KLIPS) as a module
    [*]   Enable the OpenSwan user space tools

Exit and save the new build system configuration. Run ./configure to download and install the OpenSwan source:

./configure

Run make to build a new firmware with IPsec support.

Set up an IPsec connection

Create a configuration file named ipsec.conf and place it in /etc on both sides. The file should look something like:

# /etc/ipsec.conf - Openswan IPsec configuration file
 
version 2.0 # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
 # Do not set debug= options to debug configuration issues!
 # plutodebug / klipsdebug = "all", "none" or a combation from below:
 # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
 # eg:
 # plutodebug="control parsing"
 #
 # Only enable *debug=all if you are a developer
 #
 # NAT-TRAVERSAL support, see README.NAT-Traversal
 nat_traversal=yes
 # exclude networks used on server side by adding %v4:!a.b.c.0/24
 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
 # OE is now off by default. Uncomment and change to on, to enable.
 OE=off
 # which IPsec stack to use. netkey,klips,mast,auto or none
 protostack=netkey
 
 
# Add connections here
 
conn axis_linux
 left=192.168.11.11
 right=192.168.11.22
 auto=add
 authby=secret
 pfs=no

The /etc (on both sides) must also contain the file ipsec.secrets2)

192.168.11.11 192.168.11.22 : PSK "your secret key here"
 
: RSA {
 # Used if you say : authby=rsasig
 }
# do not change the indenting of that "}"

It is also recommended to configure proc.sys.net.ipv4… that can be done e.g. by adding these lines to /etc/init.d/rc:

 echo "1" > /proc/sys/net/ipv4/ip_forward
 echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
 echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
 echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
 echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
 echo "0" > /proc/sys/net/ipv4/conf/default/log_martians
 echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
 echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
 echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects

To connect, one side has to have the auto=add changed to auto=start or type

ipsec auto --up axis_linux 

at the command line.

1) Don't enable the OpenSwan IPsec stack (KLIPS)
2) It's usually created the first time you boot the IPsec enabled firmware on ETRAX FS
 
axis/ipsec.txt · Last modified: 2009/02/03 15:54 by jesper
 
All text is available under the terms of the GNU Free Documentation License (see Copyrights for details).