Configuring an IPsec tunnel to secure NFS

To protect data transferred over NFS, configure an IPsec tunnel between servers.

Staffcop Server Setup (NFS server)

  1. Install strongSwan:

sudo apt install strongswan -y

  1. Edit /etc/ipsec.conf:

sudo nano /etc/ipsec.conf

Add the configuration:

conn nfs-to-client
    authby=psk
    left=%any
    leftid=<SERVER_IP>
    leftsubnet=<SERVER_IP>/32
    right=<CLIENT_IP>
    rightsubnet=<CLIENT_IP>/32
    auto=start
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    type=transport

Replace <CLIENT_IP> with the file scanner server address, <SERVER_IP> with the Staffcop server address.

  1. Generate a PSK:

openssl rand -base64 32

  1. Open /etc/ipsec.secrets:

sudo nano /etc/ipsec.secrets

Append the key to the line:

<IP_SERVER_NFS> <IP_CLIENT_NFS> : PSK "generated_key_in_base64"

  1. Launch strongSwan:

sudo systemctl restart strongswan-starter
sudo systemctl enable strongswan-starter

File Scanner Server Setup (NFS client)

  1. Install strongSwan:

sudo apt install strongswan -y

  1. Edit /etc/ipsec.conf:

sudo nano /etc/ipsec.conf

Add the configuration:

conn nfs-to-server
    authby=psk
    left=%any
    leftid=<CLIENT_IP>
    leftsubnet=<CLIENT_IP>/32
    right=<SERVER_IP>
    rightsubnet=<SERVER_IP>/32
    auto=start
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    type=transport

Replace <CLIENT_IP> with the file scanner server address, <SERVER_IP> with the Staffcop server address.

  1. Open /etc/ipsec.secrets:

sudo nano /etc/ipsec.secrets

Append the key to the line:

<IP_SERVER_NFS> <IP_CLIENT_NFS> : PSK "generated_key_in_base64"

  1. Launch strongSwan:

sudo systemctl restart strongswan-starter
sudo systemctl enable strongswan-starter

Attention

After configuring the IPsec tunnel, verify that NFS traffic passes through it.

Last Updated: 24.03.26