dcsimg

Tip of the Trade: Easy IPSec

By Carla Schroder (Send Email)
Posted Feb 13, 2007


Setting up an open source IPSec implementation has traditionally been difficult and complex, to the point that as a security solution it almost doesn't make sense. Even high-end commercial implementations tend to cause hair loss and frustration. But finally, there is an open source IPSec implementation that is easy to administer, free of cost and based on a high-quality secure operating system: OpenBSD.

OpenBSD takes the complexity out of open source IPSec implementations with the inclusion of ipsecctl, an abstraction layer that sits on top of the protocols' overly complex and confusing configuration options.

Discuss this article in the ServerWatch discussion forum

The developers of OpenBSD made security a priority. The system or network administrator does not need to take extra steps to harden the system because it's already hardened. Even better, the documentation is abundant, excellent and easily available. It has an excellent package manager and an emulation layer for running binaries from other Unix-type operating systems, such as FreeBSD and Linux.

OpenBSD, like the other open source *BSD Unixes and Linux distros, is very customizable. Combined with its strong security model, this makes it a perfect candidate for powering network devices, especially border routers, firewalls and virtual private network (VPN) gateways. Which brings us to IPSec.

OpenBSD includes ipsecctl, which is an excellent abstraction layer on top of the overly complex, confusing IPSec configuration options. It takes just a few steps to configure a OpenBSD-based VPN gateway:

  • First, edit /etc/ipsec.conf
  • Then, configure OpenBSD's pf firewall to allow VPN traffic in
  • Copy your isakmpd keys to clients
  • Configure IPSec to start at boot
  • Configure clients — Linux, OpenBSD, Windows and Mac OSX — so that they can all use the OpenBSD VPN

And you're in business. The actual configurations and steps are simple. See man 5 ipsec.conf and Zero to IPSec in 4 minutes on SecurityFocus to learn more.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.


 

 


Thanks for your registration, follow us on our social networks to keep up-to-date