####### ipsec stuff

## nomenclature

* IKE			Internet Key Exchange
* tunnel mode 		IP datagram is fully encapsulated by new IP datagram	
* transport mode	only payload of IP datagram is modified by ipsec protocol
* ESP 			protocol for IPSEC; packets display ESP, not TCP/UDP, etc.

* SPD = 		security policy database; analogous to firewall rules
			which packets should be encrypted, etc.
			specify by addresses, protocols, port numbers, etc.

* SAD =			security association database; analogous to a stateful firewall
			list of current connection states. each SA has encryption & hash algorithm
			session keys, maximum life and byte counts
			SA must exist for packets to be encrypted; SPD rules indicate that SA must be present
			AKA: ongoing connection

* Key mgmt daemon	Daemon which controls key negotiation: pluto, racoon, isakmpd
* PSK			preshared keys; simpliest authentication method; random characters at least 20 long
			recommendation is no shorter than 64
* NULL authentication	similar to HTTPS; clients authenticate server, not vise-versa; AKA single-side authentication
* opportunistic IPSEC	attempt to encrypt all communications between any two hosts without trust and preconfiguration;
			encrypt entire net, must use specific policies (clear-or-private, private-or-clear, clear, private, block)

* shunt			packets placed in the kernel to allow clear text if IKE daemon cannot use IPSEC


## miscellaneous

* Process		Packet created, SPD searched for match, SA created upon match, packet encrypted, sent
* ipsec.secrets		On hosts with =< openswan 3.15, a secrets file must be used with entry similar to:
			: RSA "certname"
			"certname" is taken from certutil -L -d sql:/etc/ipsec.d; it is USER certificate, not CA


### beta steps

* First/primary host
1.) install libreswan
2.) rm -rf /etc/ipsec.d/*.db
3.) certutil -S -k rsa -n "ipsecCA" -s "CN=RC IPSECA" -v 12 -t "CT,C,C" -x -d sql:/etc/ipsec.d		# Create root CA for shared installation
4.) certutil -S -k rsa -n "ipsecCA" -s "CN=SEC Client" -v 12 -t "u,u,u" -d sql:/etc/ipsec.d		# Create user certificate signed by CA in step #3
5.) pk12util -o ipsecCA.p12 -n "ipsecCA" -d sql:/etc/ipsec.d						# Export CA certificate for installation on other node(s)
6.) pk12util -o ipsecclient.p12 -n "ipsecclient" -d sql:/etc/ipsec.d					# Export signed user certificate for installation on other node(s)
* Secondary host
7.) install libreswan
8.) rm -rf /etc/ipsec.d/*.db
9.) ipsec initnss
10.) ipsec import ipsecCA.p12										# Import CA created on primary host
11.) certutil -M -n ipsecCA -t "CT,," -d sql:/etc/ipsec.d						# Modify attributes of CA for trust
12.) ipsec import ipsecclient.p12									# Import signed user certificate
13.) Edit shared config /etc/ipsec.d/blah.conf								
conn rcfc2_hipaa13 
	phase2alg=aes_gcm128-null
	type=transport
	left=10.250.17.241
	leftid="CN=SEC Client"
	leftrsasigkey=%cert
	leftcert=ipsecclient
	right=10.250.22.94
	rightrsasigkey=%cert
	#rightid="CN=User2"
	rightid="CN=SEC Client"
	rightcert=ipsecclient
	auto=start


### alpha steps

1.) install libreswan
2.) rm -rf /etc/ipsec.secrets /etc/ipsec.d/*.db
3.) ipsec initnss
4.) ipsec newhostkey --output /etc/ipsec.secrets
5.) ipsec showhostkey --left|--right --ckaid ID
6.) ipsec verify (need to enable/disable items)

# alpha output

# ipsec initnss
Initializing NSS database

# systemctl enable ipsec
Created symlink from /etc/systemd/system/multi-user.target.wants/ipsec.service to /usr/lib/systemd/system/ipsec.service.

# ipsec newhostkey
Generated RSA key pair with CKAID 7e0441dd80e2b9c31f118142eb742a791396e4b4 was stored in the NSS database

# ipsec showhostkey --left --ckaid 7e0441dd80e2b9c31f118142eb742a791396e4b4
	# rsakey AwEAAbhV9
	leftrsasigkey=0sAwEAAbhV9wicdN2OWPql8iKApwjlyvULhDoWH9d0+csElRfI3i8E0FLDJthHrGHrRv8vweg5rOVIHnSrR3Nbos2flplhpAzDvb8n/vuZ7wmwA/llMjOkRmRHYI5SBN0znLsv0LPPWKXy1e3S8hkKtHvCikgwlsdLZqpHVTsCz/z614qg9RTf1RUo+V3Udg8mjEmN2RuLHGSR7mO0eDhKuhE5WQ1AhtGdQdkYX3F2UENrGrLEj4ODBorfz+2WpptDSw5a5odaBTOUv+K5tWb0ZF5cIMq/UOzEcSXQFqPqMMho77TaMUHUtN0zuhsJ0n1QmObibwxPuxdwbvJylB6mcSDpHuFt0Z58hHaGi/o8DcpgC2trWVvm4uq/LeCPvqH02JYl8vsUX+DgQEqe/SPOUoyc3koSiv1etpR+60ZhkEAtnrtsqxZfXttbQmJtv/uOpntucFLCGwWPgefXsDN1OGCJzHkd7hqqJikMSHtEj8KlDgwoSGsadnHFDRtLnTd6GUeizkPKM2wQy2CiAT4MxEzYq/oGFFX4xR5LZegj3olyZpS86jezkhzWUPIP0VrbDjhNPlk98x4x40E5GIhGLw==

# ipsec showhostkey --list
< 1> RSA keyid: AwEAAbhV9 ckaid: 7e0441dd80e2b9c31f118142eb742a791396e4b4