[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
paul at nohats.ca
Mon May 11 17:29:14 UTC 2020
On Mon, 11 May 2020, Balaji Thoguluva wrote:
> I am a newbie to Libreswan. I am working on a Linux based application project where we need IKEv2 and IPsec stack to support sending traffic over IKEv2/IPsec established tunnel.
> Do you have some guidelines or detailed steps on how to
> 1. Initialize and integrate the Libreswan stack with the application (user-space of Linux)
What do you mean with "libreswan stack"?
There are two ways to initiate tunnels. One is packet triggered, and one
is command triggered. The packet trigger works if your conncetion has
been loaded using the auto=start keyword in the connection configuration
file (the "conn" section). To bring defined connections in connection
files up using a command, you can use the "ipsec auto --up" and "ipsec
auto --down" commands. A more low level command is "ipsec whack", which
is basically an (undocumented internal only) API using a socket in
/run/pluto/pluto.ctl with the message format defined in whack.h
> 2. any documents on Libreswan API's and how to trigger IKEv2 negotiation from the application via Libreswan, how to install SA's and SPD's via Libreswan to Linux etc.
If you can do it packet triggered, that is the best way. It requires no
modification of your application. If you want to specifically trigger
it, and the connections are fairly static with respect to configuration,
use the ipsec auto command. If you are looking at large scale mesh
dpeloyment, look at "opportunistic IPsec".
You should not need to install IPsec SA's or IPsec SPD's in the kernel
manually. All of that is handled by libreswan's IKE daemon pluto.
You need to decide what to use for authentication, PSK or raw public
keys or certificates. Depending on that choice, you might need to
look into the integration of libreswan with NSS for certificate
Opportunistic IPsec for enterprise mesh: https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
To integrate tunnel status in your application, you can use "ipsec trafficstatus"
More information about the Swan-dev