[strongSwan] Using strongSwan for large scale host-to-host IPsec deployments

[Jonas Sundberg]

Hello!

I am writing a Master's Thesis regarding deployment of host-to-host
IPsec in a network with a couple of hundred servers. I'm currently
thinking about how to make configuration and certificate distribution
as easy as possible. The servers provide one or more of a set of
services to the network and services need to communicate with each
other.

My plan is to organize the servers into groups where a group of
servers provide a specific service and where a server might be a
member of multiple groups. I'm hoping that the IPsec policy can be
specified for each group and that the policy for a specific server can
be calculated from the policies for each group that the server is a
member of. Does anyone know if this is possible with the tools that
are available today?


My first thought was to use Attribute Certificates to identify group
membership and to let the servers provide the appropriate Attribute
Certificates to prove that they are part of the required group.
However, if I understand things correctly, the Attribute Certificates
must be available on both ends of the IKE exchange for this to work.
Would it be possible to add support for sending the Attribute
Certificates when they are requested or is this unsupported by IKE? I
saw some old post about using LDAP for Attribute Certificate lookups.
Could that be another option in this case?

The next option I have investigated is to instead use the Organization
Unit part of X.509 certificates for group membership. The problem with
this is that the wildcard support seems to be unable to receive a
variable number of Organization Unit attributes for a specific rightid
parameter in ipsec.conf. Is it possible to do this somehow?

A final option that I've thought about is to give each client one
certificate with a single group membership for each group that it is a
part of and select the appropriate one for each connection. This might
make the administration a bit difficult though.


Another problem that I've come upon is the configuration files
themselves. I've only been able to use auto=start or auto=route with
single hosts, requiring that all conn sections for each applicable
hosts are listed in the ipsec.conf file on every host in the network.
Is it somehow possible to use auto=route for connections to different
hosts covering an entire subnet? It should be possible to choose the
appropriate groups based on protocols and ports used for the
connections.

A solution for this issue might be to instead use Opportunistic
Encryption, but from what I've seen this is not really used in
practice. Since the network would be internal, DNS security will not
be as big of a problem as it is on a larger-scale internet deployment
of IPsec with Opportunistic Encryption.

My last resort as things are right now is to generate configuration
files automatically, with individual connections in separate conn
sections. These would then be distributed to the servers with a tool
such as Puppet.


Does it seem as if this would be possible to do? Is there some other
solution to my problem that I might have missed?

I will probably be able to convince my thesis advisors that I should
spend some time on implementing missing functionality if that is the
easiest way to make administration much simpler in the end.

Yours,
Jonas Sundberg