Internet Protocol Security (IPSec) was developed in 1990's and provides a security architecture for the communication over IP networks. IPsec is used to ensure data privacy, authenticity and integrity.

In practical terms, IPsec creates a secure tunnel between two hosts on the network. This could either be two IPFire systems which will then be called net-to-net or an end-user device which connects to IPFire which is called host-to-net. All packets are fully encrypted which prevents others from intercepting and reading your data sent across an untrusted network and authenticated which prevents others from injecting their own data into the tunnel.

Common scenarios for IPsec VPNs are:

  • Connecting branch offices to the headquarters
  • Connecting various locations to the data center
  • Connecting a laptop to an office for remote/home working

Configuration

Security

For net-to-net and host-to-net, IPFire offers two different ways to authenticate two peers with each other.

The first one is using Pre-Shared-Key authentication (PSK) which relies on both peers knowing the same secret. This secret is usually an ASCII string and must not be easily guessable. It is recommended to use a key of at least 32 random characters.

Much stronger authentication can be provided with the second method which uses certificates. Those certificates must be generated before a connection is being created and will then be exchanged with the other party.