[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
Balaji Thoguluva
tbbalaji at gmail.com
Tue May 26 19:01:03 UTC 2020
Thanks Paul.
Another question.
I have integrated Libreswan source code and its dependent binaries to my
Linux based project. Please note that the Linux OS I have is not a
full-blown OS but a stripped down version with limited features.
When I try to invoke pluto like this,
~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
--stderrlog
Pluto initialized
May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d
May 26 18:22:44.640085: Initializing NSS
May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" read-only
May 26 18:22:44.749626: NSS initialized
May 26 18:22:44.749643: NSS crypto library initialized
May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]
May 26 18:22:44.749770: libcap-ng support [enabled]
May 26 18:22:44.749778: Linux audit support [disabled]
May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25 XFRM(netkey)
FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445
May 26 18:22:44.749792: core dump dir: /run/pluto
May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets
May 26 18:22:44.749808: leak-detective disabled
May 26 18:22:44.749814: NSS crypto [enabled]
May 26 18:22:44.749819: XAUTH PAM support [disabled]
May 26 18:22:44.749926: NAT-Traversal support [enabled]
May 26 18:22:44.749958: Initializing libevent in pthreads mode: headers:
2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
May 26 18:22:44.750135: Encryption algorithms:
May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm_b)
May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm_a)
May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE
ESP FIPS [*192] (3des)
May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP IKEv2:
ESP {256,192,*128}
May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (camellia)
May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm_b)
May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm_a)
May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aesctr)
May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes)
May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (serpent)
May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (twofish)
May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE IKEv2: IKE
ESP {256,192,*128} (twofish_cbc_ssh)
May 26 18:22:44.750262: CAST_CBC IKEv1: ESP IKEv2:
ESP {*128} (cast)
May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2:
ESP {256,192,*128} (aes_gmac)
May 26 18:22:44.750287: NULL IKEv1: ESP IKEv2:
ESP []
May 26 18:22:44.750298: Hash algorithms:
May 26 18:22:44.750304: MD5 IKEv1: IKE
IKEv2:
May 26 18:22:44.750311: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
May 26 18:22:44.750325: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2 sha256)
May 26 18:22:44.750333: SHA2_384 IKEv1: IKE
IKEv2: FIPS (sha384)
May 26 18:22:44.750340: SHA2_512 IKEv1: IKE
IKEv2: FIPS (sha512)
May 26 18:22:44.750354: PRF algorithms:
May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE IKEv2:
IKE (md5)
May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE IKEv2:
IKE FIPS (sha sha1)
May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE IKEv2:
IKE FIPS (sha2 sha256 sha2_256)
May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE IKEv2:
IKE FIPS (sha384 sha2_384)
May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE IKEv2:
IKE FIPS (sha512 sha2_512)
May 26 18:22:44.750396: AES_XCBC IKEv1: IKEv2:
IKE FIPS (aes128_xcbc)
May 26 18:22:44.750411: Integrity algorithms:
May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (md5 hmac_md5)
May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE
ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH IKEv2:
ESP AH FIPS (aes_cmac)
May 26 18:22:44.750466: NONE IKEv1: ESP IKEv2:
ESP FIPS (null)
May 26 18:22:44.750491: DH algorithms:
May 26 18:22:44.750499: NONE IKEv1: IKEv2: IKE
ESP AH (null dh0)
May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (dh2)
May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (dh5)
May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh14)
May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh15)
May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh16)
May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh17)
May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh18)
May 26 18:22:44.750559: DH19 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_256)
May 26 18:22:44.750566: DH20 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_384)
May 26 18:22:44.750574: DH21 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_521)
May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS
May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS
May 26 18:22:44.755598: starting up 7 crypto helpers
May 26 18:22:44.755652: started thread for crypto helper 0
May 26 18:22:44.755655: seccomp security for crypto helper not supported
May 26 18:22:44.755689: started thread for crypto helper 1
May 26 18:22:44.755704: seccomp security for crypto helper not supported
May 26 18:22:44.755721: started thread for crypto helper 2
May 26 18:22:44.755723: seccomp security for crypto helper not supported
May 26 18:22:44.755761: seccomp security for crypto helper not supported
May 26 18:22:44.755761: started thread for crypto helper 3
May 26 18:22:44.755798: started thread for crypto helper 4
May 26 18:22:44.755799: seccomp security for crypto helper not supported
May 26 18:22:44.755836: seccomp security for crypto helper not supported
May 26 18:22:44.755836: started thread for crypto helper 5
May 26 18:22:44.755884: started thread for crypto helper 6
May 26 18:22:44.755885: seccomp security for crypto helper not supported
May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code on
4.14.35
May 26 18:22:44.927272: seccomp security not supported
May 26 18:22:44.929155: added connection description "radius"
May 26 18:22:44.929200: listening for IKE messages
May 26 18:22:44.929229: FATAL ERROR: bind() failed in find_raw_ifaces4().
Errno 98: Address already in use
May 26 18:22:44.929240: "radius": deleting non-instance connection
connect(pluto_ctl) failed: No such file or directory
~ #
I have the following conf file at /etc/ipsec.d/radius.conf
conn radius
left=10.196.175.174
leftid=10.196.175.174
leftsubnet=10.196.175.174/32
right=10.196.172.114
rightid=10.196.172.114
rightsubnet=10.196.172.114/32
auto=start
10.196.172.114 is my local Linux interface and 10.196.175.174 is my peer IP
address where I want to establish an IKE connection to.
~ # netstat -an | grep 500
udp 0 0 172.16.20.62:500 0.0.0.0:*
udp 0 0 127.0.0.1:45006 0.0.0.0:*
udp 0 0 172.16.20.62:4500 0.0.0.0:*
unix 2 [ ] DGRAM 50035
~ # netstat -an | grep 4500
udp 0 0 127.0.0.1:45006 0.0.0.0:*
udp 0 0 172.16.20.62:4500 0.0.0.0:*
~ #
I don't see any other application binding to this port from 10.196.172.114
address.
Any idea on what I am missing here?
Also a related question, if I plan to use VLAN on the network interface in
future, where do I specify the vlan-id in the Libreswan configuration?
Thanks,
Balaji
On Sat, May 23, 2020 at 11:09 PM Paul Wouters <paul at nohats.ca> wrote:
> Normally, only the “ipsec” command is in a system sbin directory. All sub
> commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec
> directory. Those starting with an underscore are deemed “internal only” and
> should not be called by humans.
>
> Sent from my iPhone
>
> On May 23, 2020, at 21:29, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
>
>
> Please ignore my question in my previous email. I found that it is in
> /usr/local/sbin.
>
> Thanks,
> Balaji
>
> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <tbbalaji at gmail.com>
> wrote:
>
>> Hi Paul,
>>
>> Thanks for the continued support.
>>
>> I have integrated Libreswan source code with my Linux-based project and
>> integrated binaries of the Libreswan's dependencies and I am able to build
>> the project.
>>
>> Can I access the ipsec executable in the built Linux project? If so,
>> where does the ipsec executable typically reside? I could not find it under
>> /usr/sbin, /usr/libexec/ipsec.
>>
>> Any suggestions.
>>
>> Thanks,
>> Balaji
>>
>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
>>
>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>>>
>>> > I have some general security-policies that just allow the traffic to
>>> pass through the system (i.e., no IPsec is applied to those traffic). Say
>>> for example, allow all traffic
>>> > of of certain source and destination IP and source and destination
>>> port as 5060 (SIP traffic) not processed by IPsec.
>>> >
>>> > In that case, how do I convey this security-policy behavior to
>>> Libreswan via the script? What parameters need to be configured? Should I
>>> create a separate connection section?
>>>
>>> I would still recommend you do not do this. Double encryption isn't the
>>> worst these days. Excluding will allow people to see things even if not
>>> encrypted. For example, TLS still leaks SNI in cleartext.
>>>
>>> That said, you can simply create the exceptions by doing:
>>>
>>> Individual conn solutions:
>>>
>>> conn skip-tls-out
>>> left=%defaultroute
>>> right=0.0.0.0
>>> leftprotoport=tcp/0
>>> rightprotoport=tcp/443
>>> authby=never
>>> auto=route
>>>
>>> You would do something similar but flipped for incoming TLS. If there is
>>> a mismatch of these between hosts, all communication will fail because
>>> whoever does not have the "cleartext hole" will drop the received clear
>>> text traffic.
>>>
>>> Mesh solution:
>>>
>>> When using mesh encryption (Oportunistic IPsec), you can also specify
>>> the nodes for specific "clear" using protocols and ports. In general,
>>> longest prefix first wins with these type of rule matchines
>>>
>>> # /etc/ipsec.d/policies/private
>>> 10.0.0.0/8
>>>
>>> # /etc/ipsec.d/policies/clear
>>> 10.0.0.0/24 tcp 0 443
>>> 1.0.0.0/0 tcp 443 0
>>>
>>>
>>> Paul
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200526/f5f0b72e/attachment-0001.html>
More information about the Swan-dev
mailing list