[Swan-dev] Integrating Libreswan for IKEv2 and IPsec

[Paul Wouters]

On Mon, 18 May 2020, Balaji Thoguluva wrote:

> I have some general security-policies that just allow the traffic to pass through the system (i.e., no IPsec is applied to those traffic). Say for example, allow all traffic
> of of certain source and destination IP and source and destination port as 5060 (SIP traffic) not processed by IPsec. 
> 
> In that case, how do I convey this security-policy behavior to Libreswan via the script? What parameters need to be configured? Should I create a separate connection section?

I would still recommend you do not do this. Double encryption isn't the
worst these days. Excluding will allow people to see things even if not
encrypted. For example, TLS still leaks SNI in cleartext.

That said, you can simply create the exceptions by doing:

Individual conn solutions:

conn skip-tls-out
 	left=%defaultroute
 	right=0.0.0.0
 	leftprotoport=tcp/0
 	rightprotoport=tcp/443
 	authby=never
 	auto=route

You would do something similar but flipped for incoming TLS. If there is
a mismatch of these between hosts, all communication will fail because
whoever does not have the "cleartext hole" will drop the received clear
text traffic.

Mesh solution:

When using mesh encryption (Oportunistic IPsec), you can also specify
the nodes for specific "clear" using protocols and ports. In general,
longest prefix first wins with these type of rule matchines

# /etc/ipsec.d/policies/private
10.0.0.0/8

# /etc/ipsec.d/policies/clear
10.0.0.0/24  tcp  0  443
1.0.0.0/0    tcp  443  0


Paul