From 3fafa03aeb3640a86d9cd8c639d085df6a8d085d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 20 May 2016 01:19:27 +0200 Subject: Set up IPSec tunnels between each pair of hosts. We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. --- .../etc/strongswan.d/charon/socket-default.conf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 roles/common/files/etc/strongswan.d/charon/socket-default.conf (limited to 'roles/common/files/etc/strongswan.d/charon/socket-default.conf') diff --git a/roles/common/files/etc/strongswan.d/charon/socket-default.conf b/roles/common/files/etc/strongswan.d/charon/socket-default.conf new file mode 100644 index 0000000..1bc20f1 --- /dev/null +++ b/roles/common/files/etc/strongswan.d/charon/socket-default.conf @@ -0,0 +1,20 @@ +socket-default { + + # Firewall mark to set on outbound packets. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Set source address on outbound packets, if possible. + # set_source = yes + + # Listen on IPv4, if possible. + # use_ipv4 = yes + + # Listen on IPv6, if possible. + use_ipv6 = no + +} + -- cgit v1.2.3