[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
Balaji Thoguluva
tbbalaji at gmail.com
Sat May 23 17:23:21 UTC 2020
Hi Paul,
Thanks for the continued support.
I have integrated Libreswan source code with my Linux-based project and
integrated binaries of the Libreswan's dependencies and I am able to build
the project.
Can I access the ipsec executable in the built Linux project? If so, where
does the ipsec executable typically reside? I could not find it under
/usr/sbin, /usr/libexec/ipsec.
Any suggestions.
Thanks,
Balaji
On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>
> > I have some general security-policies that just allow the traffic to
> pass through the system (i.e., no IPsec is applied to those traffic). Say
> for example, allow all traffic
> > of of certain source and destination IP and source and destination port
> as 5060 (SIP traffic) not processed by IPsec.
> >
> > In that case, how do I convey this security-policy behavior to Libreswan
> via the script? What parameters need to be configured? Should I create a
> separate connection section?
>
> I would still recommend you do not do this. Double encryption isn't the
> worst these days. Excluding will allow people to see things even if not
> encrypted. For example, TLS still leaks SNI in cleartext.
>
> That said, you can simply create the exceptions by doing:
>
> Individual conn solutions:
>
> conn skip-tls-out
> left=%defaultroute
> right=0.0.0.0
> leftprotoport=tcp/0
> rightprotoport=tcp/443
> authby=never
> auto=route
>
> You would do something similar but flipped for incoming TLS. If there is
> a mismatch of these between hosts, all communication will fail because
> whoever does not have the "cleartext hole" will drop the received clear
> text traffic.
>
> Mesh solution:
>
> When using mesh encryption (Oportunistic IPsec), you can also specify
> the nodes for specific "clear" using protocols and ports. In general,
> longest prefix first wins with these type of rule matchines
>
> # /etc/ipsec.d/policies/private
> 10.0.0.0/8
>
> # /etc/ipsec.d/policies/clear
> 10.0.0.0/24 tcp 0 443
> 1.0.0.0/0 tcp 443 0
>
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200523/6d6b6f4e/attachment.html>
More information about the Swan-dev
mailing list