Best practices for managing ipsec config?

acd

New Member
I have near on two dozen ipsec endpoints that are pretty much interconnected n-way with some exceptions. I have a file on each endpoint that has IP pairs, local & remote, from which a script generates an /etc/ipsec-tools.conf and /etc/racoon/racoon.conf using templates when those services are restarted. It works pretty well for what it is.

 

The problem is, more often than I'd like, I have to add or remove an endpoint from the group. This means logging in to each one, testing the pairs file for the endpoint in question, adding/removing line(s) if appropriate, and if any change was made, restart setkey and reload racoon (severing any active connections momentarily) to apply changes. This is acceptable because 1. anything that is not a public service has ip(6)tables --pol ipsec rules associated--nothing gets dropped into the clear, and 2. the connections re-establish automatically after a brief disruption of a few packets dropped. This is semi-automated w/ a combination of grep, sed c\ and sort, but I manually confirm changes.

 

Now I've thought about it a bit and I can probably use anonymous-requiring-as1n style configs for racoon so I don't have to reload it, but setkey can't have that flexibility as far as I can tell. As long as I still have to make changes, I figure I might as well leave my current script in place.

 

For those of you with a lot of ipsec tunnels, how do you handle this? Is there a tool that will allow simple management from a single point or do I need to consider rolling my own?

 

thank you,

-tw
 
Last edited by a moderator:

acd

New Member
Since I'm not using strong/open/freeswan, I'd have to roll my own to do that which is probably the route I will take. Thanks for the input.
 
Top