[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
paul at nohats.ca
Sun May 24 03:09:11 UTC 2020
Normally, only the “ipsec” command is in a system sbin directory. All sub commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec directory. Those starting with an underscore are deemed “internal only” and should not be called by humans.
Sent from my iPhone
> On May 23, 2020, at 21:29, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> Please ignore my question in my previous email. I found that it is in /usr/local/sbin.
>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
>> Hi Paul,
>> Thanks for the continued support.
>> I have integrated Libreswan source code with my Linux-based project and integrated binaries of the Libreswan's dependencies and I am able to build the project.
>> Can I access the ipsec executable in the built Linux project? If so, where does the ipsec executable typically reside? I could not find it under /usr/sbin, /usr/libexec/ipsec.
>> Any suggestions.
>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>>> > I have some general security-policies that just allow the traffic to pass through the system (i.e., no IPsec is applied to those traffic). Say for example, allow all traffic
>>> > of of certain source and destination IP and source and destination port as 5060 (SIP traffic) not processed by IPsec.
>>> > In that case, how do I convey this security-policy behavior to Libreswan via the script? What parameters need to be configured? Should I create a separate connection section?
>>> I would still recommend you do not do this. Double encryption isn't the
>>> worst these days. Excluding will allow people to see things even if not
>>> encrypted. For example, TLS still leaks SNI in cleartext.
>>> That said, you can simply create the exceptions by doing:
>>> Individual conn solutions:
>>> conn skip-tls-out
>>> You would do something similar but flipped for incoming TLS. If there is
>>> a mismatch of these between hosts, all communication will fail because
>>> whoever does not have the "cleartext hole" will drop the received clear
>>> text traffic.
>>> Mesh solution:
>>> When using mesh encryption (Oportunistic IPsec), you can also specify
>>> the nodes for specific "clear" using protocols and ports. In general,
>>> longest prefix first wins with these type of rule matchines
>>> # /etc/ipsec.d/policies/private
>>> # /etc/ipsec.d/policies/clear
>>> 10.0.0.0/24 tcp 0 443
>>> 220.127.116.11/0 tcp 443 0
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev