Hack 71 Opportunistic Encryption with FreeSWAN

Hack 71 Opportunistic Encryption with FreeS/WAN

Use FreeS/WAN and DNS TXT records to automatically create encrypted connections between machines.

One particularly cool feature supported by FreeS/WAN [Hack #67] is opportunistic encryption with other hosts running FreeS/WAN. This allows FreeS/WAN to transparently encrypt traffic between all hosts that also support opportunistic encryption. To do this, each host must have a public key generated to use with FreeS/WAN. This key can then be stored in a DNS TXT record for that host. When a host that is set up for opportunistic encryption wishes to initiate an encrypted connection with another host, it will look up the host's public key through DNS and use it to initiate the connection.

To begin, you'll need to generate a key for each host that you want to use this feature with. You can do that by running this command:

# ipsec newhostkey --output /tmp/`hostname`.key

Now you'll need to add the contents of the file that was created by that command to /etc/ipsec.secrets:

# cat /tmp/`hostname`.key >> /etc/ipsec.secrets

Next, you'll need to generate a TXT record to put into your DNS zone. You can do this by running a command similar to this one:

# ipsec showhostkey --txt @colossus.nnc ; RSA 2192 bits   colossus   Mon Jan 12 03:02:07 2004         IN      TXT     "X-IPsec-Server(10)=@colossus.nnc" "  AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/ PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/ pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/ MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI"  "8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/ L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"

Now add this record to your zone and reload it. You can verify that DNS is working correctly by running this command:

# ipsec verify Checking your system to see if IPsec got installed and started correctly Version check and ipsec on-path                             [OK] Checking for KLIPS support in kernel                        [OK] Checking for RSA private key (/etc/ipsec.secrets)           [OK] Checking that pluto is running                              [OK] DNS checks.  Looking for TXT in forward map: colossus                    [OK] Does the machine have at least one non-private address      [OK]

Now just restart FreeS/WAN by running a command similar to this:

# /etc/init.d/ipsec restart

You should now be able to connect to any other host that supports opportunistic encryption. But what if other hosts want to connect to you? To allow this, you'll need to create a TXT record for your machine in your reverse DNS zone.

You can generate the record by running a command similar to this:

# ipsec showhostkey --txt 192.168.0.64 ; RSA 2192 bits   colossus   Tue Jan 13 03:02:07 2004         IN      TXT     "X-IPsec-Server(10)=192.168.0.64" "  AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/ PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/ pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/ MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI"  "8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/ L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"

Add this record to the reverse zone for your subnet, and other machines will be able to initiate opportunistic encryption with your machine. With opportunistic encryption in use, all traffic between the hosts will be automatically encrypted, protecting all services simultaneously. Pretty neat, huh?