Use Openswan and DNS TXT records to automatically create encrypted connections between machines.
One
particularly cool feature supported by Openswan [Hack #92] is opportunistic encryption with other hosts running Openswan. This allows Openswan to transparently encrypt traffic between all hosts that also support opportunistic encryption. For this to work, each host must have a public key generated to use with Openswan. This key can then be stored in a DNS TXT record for that host. When a host that is set up for opportunistic encryption wants to initiate an encrypted connection with another host, it looks up the host’s public key through DNS and uses it to initiate the connection.
Before you get started, if you’re using a 2.6.x Linux kernel, make sure that you’ve installed Openswan with KLIPS [Hack #92] rather than Linux’s native IPsec support. The native support in the kernel doesn’t work properly with opportunistic encryption.
You’ll need to generate a key for each host with which you want to use this feature. Usually, Openswan creates a key for you when you install it. You can check if you have one by running the following command:
# /usr/local/sbin/ipsec showhostkey --left
If you see the following output, you’ll need to create one:
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
You can do that by running this command:
# /usr/local/sbin/ipsec newhostkey --output - >> /etc/ipsec.secrets
Next, you’ll need to generate a
TXT record to put into your DNS zone, using a command like the following:
# /usr/local/sbin/ipsec showhostkey --txt @colossus.nnc
; RSA 2192 bits colossus Mon Jul 13 03:02:07 2004
IN TXT "X-IPsec-Server(10)=@colossus.nnc" "
AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/
PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/
pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/
MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf
qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI"
"8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/
L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"Add this record to your zone (be sure to add the hostname to the beginning of the record) and reload it . By default, opportunistic encryption support is disabled. To enable it, open /etc/ipsec.conf and comment out the following line:
include /etc/ipsec.d/examples/no_oe.conf
Save the file, and then restart the ipsec service by running /etc/init.d/ipsec
restart.
Verify that DNS is working correctly by running this command:
# /usr/local/sbin/ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for TXT in forward map: colossus [OK]
Does the machine have at least one non-private address [OK]Now, just restart Openswan:
# /etc/init.d/ipsec restart
You should now be able to connect to any other host that supports opportunistic encryption. But what if other hosts want to connect to you? To allow this, you’ll need to create a TXT record for your machine in your reverse DNS zone:
# ipsec showhostkey --txt 192.168.0.64
; RSA 2192 bits colossus Tue Jan 13 03:02:07 2004
IN TXT "X-IPsec-Server(10)=192.168.0.64" "
AQOR7rM7ZMBXu2ej/1vtzhNnMayZO1jwVHUyAIubTKpd/
PyTMogJBAdbb3I0xzGLaxadPGfiqPN2AQn76zLIsYFMJnoMbBTDY/2xK1X/
pWFRUUIHzJUqCBIijVWEMLNrIhdZbei1s5/
MgYIPaX20UL+yAdxV4RUU3JJQhV7adVzQqEmdaNUnCjZOvZG6m4zv6dGROrVEZmJFP54v6WhckYf
qSkQu3zkctfFgzJ/rMTB6Y38yObyBg2HuWZMtWI"
"8VrTQqi7IGGHK+mWk+wSoXer3iFD7JxRTzPOxLk6ihAJMibtKna3j7QP9ZHG0nm7NZ/
L5M9VpK+Rfe+evUUMUTfAtSdlpus2BIeXGWcPfz6rw305H9"Add this record to the reverse zone for your subnet, and other machines will be able to initiate encrypted connections with your machine. With opportunistic encryption in use, all traffic between the hosts will be encrypted automatically, protecting all services simultaneously. Pretty neat, huh?