[Swan-dev] Integrating Libreswan for IKEv2 and IPsec

Balaji Thoguluva tbbalaji at gmail.com
Sat May 16 17:38:13 UTC 2020

Thanks Paul for the information.

On Mon, May 11, 2020 at 1:29 PM Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 11 May 2020, Balaji Thoguluva wrote:
> > I am a newbie to Libreswan. I am working on a Linux based application
> project where we need IKEv2 and IPsec stack to support sending traffic over
> IKEv2/IPsec established tunnel.
> >
> > Do you have some guidelines or detailed steps on how to
> > 1. Initialize and integrate the Libreswan stack with the application
> (user-space of Linux)
> What do you mean with "libreswan stack"?
> There are two ways to initiate tunnels. One is packet triggered, and one
> is command triggered. The packet trigger works if your conncetion has
> been loaded using the auto=start keyword in the connection configuration
> file (the "conn" section). To bring defined connections in connection
> files up using a command, you can use the "ipsec auto --up" and "ipsec
> auto --down" commands. A more low level command is "ipsec whack", which
> is basically an (undocumented internal only) API using a socket in
> /run/pluto/pluto.ctl with the message format defined in whack.h
> > 2. any documents on Libreswan API's and how to trigger IKEv2 negotiation
> from the application via Libreswan, how to install SA's and SPD's via
> Libreswan to Linux etc.
> If you can do it packet triggered, that is the best way. It requires no
> modification of your application. If you want to specifically trigger
> it, and the connections are fairly static with respect to configuration,
> use the ipsec auto command. If you are looking at large scale mesh
> dpeloyment, look at "opportunistic IPsec".
> You should not need to install IPsec SA's or IPsec SPD's in the kernel
> manually. All of that is handled by libreswan's IKE daemon pluto.
> See further:
> https://libreswan.org/wiki/Configuration_examples
> https://libreswan.org/man/
> You need to decide what to use for authentication, PSK or raw public
> keys or certificates. Depending on that choice, you might need to
> look into the integration of libreswan with NSS for certificate
> handling: https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
> Opportunistic IPsec for enterprise mesh:
> https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
> To integrate tunnel status in your application, you can use "ipsec
> trafficstatus"
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200516/bde58e6c/attachment.html>

More information about the Swan-dev mailing list