[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
Paul Wouters
paul at nohats.ca
Mon May 18 19:05:40 UTC 2020
On Mon, 18 May 2020, Balaji Thoguluva wrote:
> I have some general security-policies that just allow the traffic to pass through the system (i.e., no IPsec is applied to those traffic). Say for example, allow all traffic
> of of certain source and destination IP and source and destination port as 5060 (SIP traffic) not processed by IPsec.
>
> In that case, how do I convey this security-policy behavior to Libreswan via the script? What parameters need to be configured? Should I create a separate connection section?
I would still recommend you do not do this. Double encryption isn't the
worst these days. Excluding will allow people to see things even if not
encrypted. For example, TLS still leaks SNI in cleartext.
That said, you can simply create the exceptions by doing:
Individual conn solutions:
conn skip-tls-out
left=%defaultroute
right=0.0.0.0
leftprotoport=tcp/0
rightprotoport=tcp/443
authby=never
auto=route
You would do something similar but flipped for incoming TLS. If there is
a mismatch of these between hosts, all communication will fail because
whoever does not have the "cleartext hole" will drop the received clear
text traffic.
Mesh solution:
When using mesh encryption (Oportunistic IPsec), you can also specify
the nodes for specific "clear" using protocols and ports. In general,
longest prefix first wins with these type of rule matchines
# /etc/ipsec.d/policies/private
10.0.0.0/8
# /etc/ipsec.d/policies/clear
10.0.0.0/24 tcp 0 443
1.0.0.0/0 tcp 443 0
Paul
More information about the Swan-dev
mailing list