Opportunistic Encryption with FreeS/WAN
Use FreeS/WAN and DNS TXT records to automatically create encrypted connections between machines.
One
particularly cool
feature supported by FreeS/WAN
[Hack #67]
is opportunistic encryption with other hosts running
FreeS/WAN
. This
allows FreeS/WAN
to transparently encrypt
traffic between all hosts that also support
opportunistic encryption. To do this, each host must have a public key
generated to use with FreeS/WAN
. This key can then be stored in a
DNS TXT record for that
host. When a host that is set up for
opportunistic encryption wishes to initiate an encrypted connection
with another host, it will look up the host’s public
key through DNS and use it to initiate the connection.
To begin, you’ll need to generate a key for each host that you want to use this feature with. You can do that by running this command:
# ipsec newhostkey --output /tmp/`hostname`.key
Now you’ll need to add the contents of the file that
was created by that command to
/etc/ipsec.secrets
:
# cat /tmp/`hostname`.key >> /etc/ipsec.secrets
Next, you’ll need to generate a TXT record to put into your DNS zone. You can do this by running a command similar to this one:
# ipsec showhostkey --txt @colossus.nnc
; RSA 2192 bits colossus Mon Jan 12 03:02:07 2004 IN TXT "X-IPsec-Server(10)=@colossus.nnc" " AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/ PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/ pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/ MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.