[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
tbbalaji at gmail.com
Sun May 24 01:29:01 UTC 2020
Please ignore my question in my previous email. I found that it is in
On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> Hi Paul,
> Thanks for the continued support.
> I have integrated Libreswan source code with my Linux-based project and
> integrated binaries of the Libreswan's dependencies and I am able to build
> the project.
> Can I access the ipsec executable in the built Linux project? If so, where
> does the ipsec executable typically reside? I could not find it under
> /usr/sbin, /usr/libexec/ipsec.
> Any suggestions.
> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>> > I have some general security-policies that just allow the traffic to
>> pass through the system (i.e., no IPsec is applied to those traffic). Say
>> for example, allow all traffic
>> > of of certain source and destination IP and source and destination port
>> as 5060 (SIP traffic) not processed by IPsec.
>> > In that case, how do I convey this security-policy behavior to
>> Libreswan via the script? What parameters need to be configured? Should I
>> create a separate connection section?
>> I would still recommend you do not do this. Double encryption isn't the
>> worst these days. Excluding will allow people to see things even if not
>> encrypted. For example, TLS still leaks SNI in cleartext.
>> That said, you can simply create the exceptions by doing:
>> Individual conn solutions:
>> conn skip-tls-out
>> You would do something similar but flipped for incoming TLS. If there is
>> a mismatch of these between hosts, all communication will fail because
>> whoever does not have the "cleartext hole" will drop the received clear
>> text traffic.
>> Mesh solution:
>> When using mesh encryption (Oportunistic IPsec), you can also specify
>> the nodes for specific "clear" using protocols and ports. In general,
>> longest prefix first wins with these type of rule matchines
>> # /etc/ipsec.d/policies/private
>> # /etc/ipsec.d/policies/clear
>> 10.0.0.0/24 tcp 0 443
>> 18.104.22.168/0 tcp 443 0
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev