StrongSwan: Preparations
What to take into account
At first how you need to set up your boxes depends on how you intend to set up
StrongSwan. You have two options: User-controlled with a module for
NetworkManager or by a stand-alone process that brings the connection up and
takes it down again without user intervention.
While the first variant is good for someone who is temporarily connecting to
the other end of the IPsec connection, the second is rather meant to link boxes
that reside in disjoint subnets. This may be necessary if you have rented
multiple servers, possibly from different providers, that you wish to link now
to set up a contiguous and independent logical network that cannot be
distinguished from a regular network. The main difference is that the radio
link or cabling is replaced by an IPsec channel.
Dependent on the application scenario you need to install different packages
to set up IPsec.
Preparing a server
This is done rather easily, because you normally need only one package. However, it is advisable to install some additional packages, especially the docs on StrongSwan. Please proceed as follows:
- Log in to your server as root.
- Launch YaST.
- Invoke the module Software -> Software Management.
- Enter strongswan as search term. You are going to get a list of packages.
- On any account pick the package strongswan-ipsec.
- If so desired you may also select the packages strongswan-doc and strongswan-mysql.
- Select Accept and hit RETURN.
- Confirm the subsequent selection of additional packages.
This installs all packages that are required server-side for the IPsec connection. However, as of now it's not possible to establish an IPsec connection, because StrongSwan is still lacking an essential component that is required to guarantee that the transmission path is secure.
to the topPreparing your local box
You normally have to select one sigle package here as well to get StrongSwan working. The main difference is that StrongSwan won't operate on its own here, but is instead controlled by NetworkManager that also takes care of the configuration.
- Invoke YaST from your graphical user interface. You are going to be queried for the root password if applicable.
- Invoke the module Software -> Software Management.
- Enter strongswan as search term. You are going to get a list of packages.
- Pick the package strongswan-nm.
- If so desired you should also select strongswan-doc.
- Click on Accept.
- Confirm the subsequent selection of additional packages.
This installs all packages required for NetworkManager that are essential for an IPsec connection.However, StrongSwan is still going to refuse to work, because an essential component for the IPsec connection is still missing.
to the topOne more thing...
As has already been mentioned in the last
chapter there are three security aspects required to harden an IPsec
connection against eavesdropping and manipulation attempts. The authenticity of
the remote station must be reliably confirmed, and the data must be tamper- and
spyproof.
Here certificates are used that assign a bijective ID to each station
authorized by you that confirms its identity as well as a set of encryption
keys that allow for both an integrity check of any data and rendering any
transmitted data unrecognizable. However, the process of generating a
certificate isn't trivial, that's why the next chapter
will delve deeper into this matter. However, I can assure you: You can
establish a certificate infrastructure with rather few steps.