Saturday, April 2, 2011

Linux Host-to-Host IPSEC

Sometimes, you want to encrypt all IP traffic between two Linux hosts. An easy way to do this with Red Hat Linux is to use IPSEC. While there are many applications which are encrypted, such as secure shell or even transport layer security and secure sockets layer over usually-unencrypted applications, IPSEC works at a lower level. IPSEC therefore can work regardless of the application and encrypts all IP communication.

Example Hosts

Host 1: (host1)
Host 2: (host2)

Configuration on host1

The numbers for SPI, or Security Parameter Index, are arbitrary. They just need to correlate with each other (IN on host1 goes to OUT on host2). I just picked a set of seven-digit numbers for this example.

# /etc/sysconfig/network-scripts/ifcfg-ipsec0

Configuration on host2


The Difference

Before you activate the IPSEC tunnel (which you have configured to start on boot), you should understand the difference in traffic. Here is an example of a single ping:

16:07:34.401784 IP > ICMP echo request, id 11084, seq 1, length 64
16:07:34.401842 IP > ICMP echo reply, id 11084, seq 1, length 64

You can see that the traffic is identifiable as ICMP.

After "sudo /sbin/ifup ipsec0":

16:09:32.580025 IP > AH(spi=0x00845fed,seq=0x2d): ESP(spi=0x0054b014,seq=0x2d), length 88
16:09:32.580144 IP > AH(spi=0x007a31c7,seq=0x23): ESP(spi=0x000138d5,seq=0x23), length 88

With the IPSEC connection, all the traffic will be IP protocol 50 and 51 (Encapsulating Security Payload and Authentication Header). Here is a secure shell session:

17:00:35.333778 IP > AH(spi=0x00845fed,seq=0x2f): ESP(spi=0x0054b014,seq=0x2f), length 64
17:00:35.333881 IP > AH(spi=0x007a31c7,seq=0x25): ESP(spi=0x000138d5,seq=0x25), length 64
17:00:35.333937 IP > AH(spi=0x00845fed,seq=0x30): ESP(spi=0x0054b014,seq=0x30), length 56
17:00:35.340078 IP > AH(spi=0x007a31c7,seq=0x26): ESP(spi=0x000138d5,seq=0x26), length 72
17:00:35.340183 IP > AH(spi=0x00845fed,seq=0x31): ESP(spi=0x0054b014,seq=0x31), length 56
17:00:35.340299 IP > AH(spi=0x00845fed,seq=0x32): ESP(spi=0x0054b014,seq=0x32), length 72
17:00:35.340355 IP > AH(spi=0x007a31c7,seq=0x27): ESP(spi=0x000138d5,seq=0x27), length 56
17:00:35.340490 IP > AH(spi=0x00845fed,seq=0x33): ESP(spi=0x0054b014,seq=0x33), length 768

tcpdump cannot inspect inside IPSEC to see this is traffic destined for TCP port 22. The traffic is encrypted so if your communication is intercepted, it cannot be deciphered. Clear-text passwords passed for checking mail would not be exposed.

Next time, I'll explain a way to encrypt traffic between hosts you don't have administrative access to, using secure shell.


  1. I never knew about it, But now i get it clear, Thanks a lot.Website Hosting India

  2. hi, what will happen to the regular ethernet interfaces? will those remain configured as active interfaces , with UP status besides ipsec0 interface? can you provide an ifconfig output on a working host? i'm just asking b/c i'm interested. thanks!

  3. Miklos: Yes. The eth0 interface will remain up and will show regular communications with other hosts. Encryption and protocol 50/51 will only occur between the two hosts on tunnel interface ipsec0. The tcpdump output above was with "-i eth0", by the way. I'll post some ifconfig output for you soon.

  4. IPsec is protocol suite for security purpose.