Encrypting network traffic using IPsec

Abstract

Whenever we send any data over a network of any kind, private or public, wired or wireless, that data is vulnerable to both interception and modification unless steps are taken to ensure the security and authenticity of said data. This document examines how we can use the Internet Protocol Security Extensions, or IPsec as it is more commonly known, to provide end-to-end encryption services providing security against interception, modification and replay.

In addition to documentation on how to use the setkey application and racoon daemon to provide security between peers on a Local Area Network (LAN) using IPsec in transport mode we shall also examine how to use IPsec in tunnel mode to create a Virtual Private Network (VPN) to transparently connect two networks together over the Internet.

Contents

• Preparing the ground
  • Introduction to IPsec
    • What is IPsec?
    • IPsec on Linux
  • Installing the IPsec software
    • Kernel configuration
    • Kernel configuration (IPv6 only)
    • IPsec tools
    • VPN tools
• Basic IPsec use
  • Managing the Security Policy Database using setkey
    • Querying the IPsec SPD
    • Declaring Security Policies
    • Example Security Policies
  • Managing the Security Association Database using setkey
    • Querying the IPsec SAD
    • Declaring Security Associations
    • Example Security Associations
• Intermediate IPsec use
  • Configuring the Racoon IKE/ISAKMP daemon
    • IKE/ISAKMP basics
    • Phase 1 parameters
    • Phase 2 parameters
    • Additional configuration options
    • Example racoon configuration
  • Using the Racoon IKE/ISAKMP daemon
    • Basic configuration
    • Establishing an ISAKMP SA
    • Establishing an IPsec SA
    • Limitations of Pre-Shared Keys
• Example IPsec configurations
  • Building a tunnelled VPN using ESP (static IPs, no NAT)
    • Populating the Security Policy Database (SPD)
    • Routing configuration
    • Firewall configuration
    • Configuring racoon
    • Testing the VPN
  • Building a tunnelled VPN using ESP (static IPs, through NAT)
    • NAT configuration
    • Populating the Security Policy Database (SPD)
    • Routing configuration
    • Firewall configuration
    • Configuring racoon
    • Testing the VPN
  • Building a tunnelled VPN using ESP (one dynamic IP)
    • NAT configuration
    • Populating the Security Policy Database (SPD)
    • Routing configuration
    • Firewall configuration
    • Configuring the racoon daemons
    • Testing the VPN