I have cleaned up my racoon patches for the opportunistic encryption project at least a little bit. They are not complete (rekeying is not supported, for instance). I will of course continue to work on them. Without further ado, here's a first version:

ipseckey-20120130.patch.bz2

Apply them to racoon from ipsec-tools 0.8.0.

You can use them with this configuration file:

racoon-ipseckey.conf

Note that I override the use of "dnssec" authentication for my own purposes.

Please note well that these patches by themselves are enough to implement Scenario #2. However, Scenario #2 is likely vulnerable to a MitM attack. See a previous blog entry.

Of course, before using it you need to generate RSA key pairs for all nodes involved and insert the public key and the corresponding A or AAAA record into the proper DNS zone.

To generate a key, use:

% plainrsa-gen -b 4096 -f ipsec1.rsa

In the .rsa file you will find the public key in the commented out "pubkey" line. Insert that into your DNS zone without the first "0s" (which just marks it as BASE64). In BIND's zone format, it looks like this:

ipsec1                  IN      IPSECKEY ( 10 0 2
                                           .
                                           AQOqVjnhO/eQdETVCH7r2am7yUixEcWUgyffNhdmTigiLS7VZODtxC2ii3ySKEOD6ADxykvgn6KVotSYmSq2kNAdmbElkMl3stAHE+E327vSkX3vKR3/l23Wrrv0iUlJFm+5WK1TJC6jTkjH8Fc0j77mdATGfmWYC4MdONuPUDMeEaMu9/XJm+X0ZWfGG/q1158smfkwsRvKh1KZCJLuGYv+Y85kRnMwnejtQRpDMZbjNr8dtS90MR7kGgQIJ/ctgc//MRjpTo8NTWncDp9KKvuNcBxsPPL08YTF/BkcG60SeeKD1jqjdnY+VRFkrv3BO0WyFEib/fuxeA2FJLYMYOuGG3n1KKSLckD7B5AfNOKKME94f+glY65M8njVVAIKahufUzp+DIW9AgURxuAwNoCiRpS3i+sh7lY/dT5AzbZ8Ewl2jgsdX/neAXCiOWrSMUZGyARNcvAsOleRk93pb0y43FEU8f8OcS027p+ZbBHVbHYbLFEX6eg3NbJso3LTL6Gx8SxWX8W6KvBjFf7sWO4ehEcXPJXJ+lsY/UQfAbeFlUTicQd83+rVuuHfJvbxYWx0Sia6bERlKRSYTWT4FBwH3AwMTLQRskWasyBTbLbk1KHkUBZv4Ts5J+pGzAVsbPLINLnb5/lifjZdPGca6yn+5mbkKdjPSyV0ZHYfqiO4qQ==

ipsec1                  IN      AAAA    2001:16d8:ffff:1::3

Happy hacking,
MC