IPSec with DNSSEC v2

Back to our business. On 11 Oct a patch to enable DNSSEC protected DANE CERTs was merged to StrongSWAN's upstream so now you can have interoperability between racoon and strongswan if you need to use CERTs for easy deployment.

The approach is pretty the same, only with StrongSWAN you have additional DNSSEC validation (racoon blindly trusts underlying DNSSEC implementation).

For simplicity we'll use racoon configuration part from the previous example, and here're just StrongSWAN specifics. Bare minimum to work with racoon then would be:

# strongswan.conf - strongSwan configuration file
charon {
    threads = 16
    plugins {
        dnscert {
            enable = true

libstrongswan {
    plugins {
        unbound {
            resolv_conf = /etc/unbound/resolv.conf
            dlv_anchors = /etc/unbound/dlv.isc.org.key

Important points are to enable dnscert plugin and configure unbound library to do DNSSEC. Here we assume you use DLV since your TLD is not signed (as eg. .mobi). If it is signed - root key should suffice. Next - IPSec peer configuration

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug = 2

# Add connections here.

conn %default

conn vex

Meh, just tried to reproduce it on my spare ubuntu - couple of things revealed. First - you may nedd to adjust your apparmor profile to allow charon reading some extra files, eg. this way:

  /etc/unbound/*        r,
  /etc/resolv.conf      r,
  /var/lib/unbound/*    r,

Next - you need to have your local private key for the local peer in a more permissive place than standard /etc/ssl/private - but then it's advicable to encrypt it somehow at least, eg. like this:

# openssl rsa -aes256 < /etc/ssl/private/box.key > /etc/ipsec.d/private/box.aes
<enter and confirm password>
# echo ': RSA box.aes "KeyPassword"' >> /etc/ipsec.secrets

Or, if you decided to switch entirely to strongswan (without racoon) you may finally enjoy ECDSA certs with their shorter size:

# openssl ecparam -genkey -name secp521r1 -noout -out /etc/ssl/private/box.ec.key
# openssl req -new -x509 -key /etc/ssl/private/box.ec.key \
-out /etc/ssl/certs/box.ec.pem
# openssl ec -aes256 -in /etc/ssl/private/box.ec.key \
-out /etc/ipsec.d/private/box.ec.aes
# echo ': ECDSA box.ec.aes "KeyPassword"' > /etc/ipsec.secrets

Now you just need to publish certificate as CERT record in DNS. It's advisable though to not publish more than one cert record for domain name since StrongSWAN cannot yet properly enumerate certificates even thoguh such mechanism is part of the credential manager subsystem. Hence you'd need to replace ECDSA certificate in all apps as well as create/update a TLSA record for this certificate (if required - not everyone yet agreed on which of DANE methods to use *sigh*).

# echo -e "box\t\tIN CERT PKIX 0 4 (" >> zone.file
# openssl x509 -in /etc/ssl/certs/bo.xec.pem | grep -v CERT >> zone.file
# echo ")" >> zone.file
# echo -e "*._tcp.box\t\tIN TLSA 3 1 1\t" >> zone.file
# openssl x509 -pubkey -in /etc/ssl/certs/box.ec.pem -noout | \
openssl pkey -pubin -outform DER | openssl sha256 | \
cut -d' ' -f2 >> zone.file
Sat May 10 12:03:26 2014
© ruff 2011