Thursday, 21 February 2013
Kerberos can be used to set up an IPSec security association (SA), the protocol is called Kerberized Internet Negotiation of Keys (KINK). It would sense to make use of our kerberos infrastructure directly rather than generating x.509 certificates using kerberos. KINK is supported by racoon2 which is available from EPEL. So this is probably worth exploring although documentation is also very sparse. It would be nice if we could use opportunistic encryption which doesn't require both ends of the IPSec tunnel to be specified. However, it does rely on extra entries in DNS. This might be possible but adds a certain amount of complication. This is also an interesting article giving an overview of IPSec. It suggests that an LDAP might be used to distribute public keys. Nate Carlson's post on how to setup an IPSec tunnel between openswan and windows XP looks also worth looking into.
Tuesday, 19 February 2013
I am looking into using IPSec to provide a secure tunnel over which we can transfer data between our servers and possibly as a way to secure NFS. We have a kerberos infrastructure and can provide our own x.509 certificates. There is very little documentation on how to setup IPSec on RHEL6, Centos6 or SL6 (they should be all the same really). Furthermore, RHEL6 is now using openswan which appears to have moved to githup. On the new site there is still very little documentation with just a few unhelpful examples. So, the plan is to have a series of posts so I don't forget what I have found out.