ansible-ipsec
ansible-ipsec copied to clipboard
kravietz
Feature request - specify ports for which ipsec should ALWAYS be used irrespective of source IP
Use-case: setting up an NFS v4 server without kerberos such that ALL traffic to the NFS server is always encrypted irrespective of the client's IP. This will prevent misconfigurations where one server is left out of the ipsec "ring" and is still able to access NFS without using ipsec.
I can take a shot at implementing this if you can help me with the core configuration required in /etc/ipsec-tools.conf
@saurabhnanda Sure thing! The setkey syntax is confusing and repetitive but I think by trial and error I've gained some experience :) Port numbers are specified in [] and need to be configured for both incoming and outgoing traffic. Here's an example of port-specific exclusion for 22/tcp as generated by the current rules:
spdadd 159.69.33.57[any] 159.69.148.50[22] tcp -P out prio high none;
spdadd 159.69.148.50[22] 159.69.33.57[any] tcp -P in prio high none;
spdadd 159.69.33.57[22] 159.69.148.50[any] tcp -P out prio high none;
spdadd 159.69.148.50[any] 159.69.33.57[22] tcp -P in prio high none;
There's 4 of them because each host has a SSH server. So for a NFS 2049/tcp server at 159.69.148.50 and client at 159.69.33.57 it would be something like that (on the client):
spdadd 159.69.33.57[any] 159.69.148.50[2049] tcp -P out ipsec ipcomp/transport//use esp/transport//require;
spdadd 159.69.148.50[2049] 159.69.33.57[any] tcp -P in ipsec ipcomp/transport//use esp/transport//require;
Can remote ip addresses be omitted somehow?
On Tue 19 Feb, 2019, 10:20 PM Paweł Krawczyk <[email protected] wrote:
@saurabhnanda https://github.com/saurabhnanda Sure thing! The setkey syntax is confusing and repetitive but I think by trial and error I've gained some experience :) Port numbers are specified in [] and need to be configured for both incoming and outgoing traffic. Here's an example of port-specific exclusion for 22/tcp as generated by the current rules:
spdadd 159.69.33.57[any] 159.69.148.50[22] tcp -P out prio high none; spdadd 159.69.148.50[22] 159.69.33.57[any] tcp -P in prio high none; spdadd 159.69.33.57[22] 159.69.148.50[any] tcp -P out prio high none; spdadd 159.69.148.50[any] 159.69.33.57[22] tcp -P in prio high none;
There's 4 of them because each host has a SSH server. So for a NFS 2049/tcp server at 159.69.148.50 and client at 159.69.33.57 it would be something like that (on the client):
spdadd 159.69.33.57[any] 159.69.148.50[2049] tcp -P out ipsec ipcomp/transport//use esp/transport//require; spdadd 159.69.148.50[2049] 159.69.33.57[any] tcp -P in ipsec ipcomp/transport//use esp/transport//require;
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kravietz/ansible-ipsec/issues/8#issuecomment-465215491, or mute the thread https://github.com/notifications/unsubscribe-auth/AABu0ZM8xyqMOyBnDBCHdlU7nTQLCuX3ks5vPCtlgaJpZM4bC2al .
Not in "raw ESP" mode (setkey). When using IKE you can allow IKE connections from any client and then IKE will set up ESP for that host pair.
From the man page of setkey:
src_range
dst_range
These select the communications that should be secured by IPsec. They can be an IPv4/v6 address or an IPv4/v6 address range, and may be
accompanied by a TCP/UDP port specification. This takes the following form:
address
address/prefixlen
address[port]
address/prefixlen[port]
prefixlen and port must be decimal numbers. The square brackets around port are really necessary, they are not man page meta-characters.
For FQDN resolution, the rules applicable to src and dst apply here as well.
How do I write an IP range which encompasses all IPs in the world?
Here's how I'm planning to attack this. I'll introduce a new (optional) variable called ipsec_secure_ports which can be configured either at a role level, or at a host level:
hosts:
database:
ansible_host: x.y.z.w
ipsec_secure_ports:
- 5432
redis:
ansible_host: x.y.z.w
ipsec_secure_ports:
- 6379
Based off of this variable, the following spdadd entries will be added to /etc/ipsec-tools.conf:
# on database server
spdadd x.y.z.w[5432] <all-ipaddress> any -P out ipsec ipcomp/transport//use esp/transport//require;
# on redis server
spdadd x.y.z.w[6379] <all-ipaddress> any -P out ipsec ipcomp/transport//use esp/transport//require;
Okay, I have a POC in place for ipv4. I added the following to the ipsec-tools.conf template file at the bottom:
{% set local_ip=hostvars[inventory_hostname]['ansible_default_ipv4']['address'] %}
{% for port in ipsec_secure_ports %}
### SPD entries for securing port={{ port }} on {{ inventory_hostname }}/{{ local_ip }}
spdadd {{ local_ip }}[{{ port }}] 0.0.0.0/0 any -P out ipsec {% if ipsec_compress %}ipcomp/transport//use{% endif %} esp/transport//{{ ipsec_policy }};
spdadd 0.0.0.0/0 {{ local_ip }}[{{ port }}] any -P in ipsec {% if ipsec_compress %}ipcomp/transport//use{% endif %} esp/transport//{{ ipsec_policy }};
{% endfor %}
And verified this using the following method:
- opened up port 6379 (redis) to an IP which doesn't have ipsec enabled (it was not in the ipsec group)
- tried connecting to port 6379, and the connection never goes through
- commented out the following lines in
/etc/ipsec-tools.conffile on the redis server and restarted/etc/init.d/setkeyand the connection went through.
### SPD entries for securing port=6379 on dataserver/REDACTED
spdadd REDACTED[6379] 0.0.0.0/0 any -P out ipsec ipcomp/transport//use esp/transport//require;
spdadd 0.0.0.0/0 REDACTED[6379] any -P in ipsec ipcomp/transport//use esp/transport//require;
Is it good enough to establish that port 6379 is truly "protected"?
Will this cause traffic over 127.0.0.1 to also be encrypted? If yes, how does one write an IP range to include ALL ip addresses except 127.0.0.1?