[Swan-dev] Integrating Libreswan for IKEv2 and IPsec
Balaji Thoguluva
tbbalaji at gmail.com
Tue May 26 19:52:53 UTC 2020
I attempted to specify the IP address explicitly as a command line
argument, but it still fails to bind for some reason. Am I running into
some permission issue?
~ # ifconfig
wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10
inet addr:10.196.172.114 Bcast:10.196.255.255 Mask:255.255.128.0
inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0
TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB)
Memory:f7580000-f75fffff
~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
--stderrlog
--interface 10.196.172.114 --listen 10.196.172.114
May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114
Pluto initialized
May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d
May 26 19:21:26.049834: Initializing NSS
May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d" read-only
May 26 19:21:26.129870: NSS initialized
May 26 19:21:26.129884: NSS crypto library initialized
May 26 19:21:26.129889: FIPS HMAC integrity support [disabled]
May 26 19:21:26.129971: libcap-ng support [enabled]
May 26 19:21:26.129982: Linux audit support [disabled]
May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25 XFRM(netkey)
FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283
May 26 19:21:26.129994: core dump dir: /run/pluto
May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets
May 26 19:21:26.130003: leak-detective disabled
May 26 19:21:26.130008: NSS crypto [enabled]
May 26 19:21:26.130011: XAUTH PAM support [disabled]
May 26 19:21:26.130058: NAT-Traversal support [enabled]
May 26 19:21:26.130077: Initializing libevent in pthreads mode: headers:
2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
May 26 19:21:26.130193: Encryption algorithms:
May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm_b)
May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP IKEv2:
ESP FIPS {256,192,*128} (aes_ccm_a)
May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE
ESP FIPS [*192] (3des)
May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP IKEv2:
ESP {256,192,*128}
May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (camellia)
May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm_b)
May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes_gcm_a)
May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aesctr)
May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP IKEv2: IKE
ESP FIPS {256,192,*128} (aes)
May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (serpent)
May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} (twofish)
May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE IKEv2: IKE
ESP {256,192,*128} (twofish_cbc_ssh)
May 26 19:21:26.130267: CAST_CBC IKEv1: ESP IKEv2:
ESP {*128} (cast)
May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2:
ESP {256,192,*128} (aes_gmac)
May 26 19:21:26.130275: NULL IKEv1: ESP IKEv2:
ESP []
May 26 19:21:26.130281: Hash algorithms:
May 26 19:21:26.130285: MD5 IKEv1: IKE
IKEv2:
May 26 19:21:26.130289: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
May 26 19:21:26.130292: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2 sha256)
May 26 19:21:26.130295: SHA2_384 IKEv1: IKE
IKEv2: FIPS (sha384)
May 26 19:21:26.130299: SHA2_512 IKEv1: IKE
IKEv2: FIPS (sha512)
May 26 19:21:26.130307: PRF algorithms:
May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE IKEv2:
IKE (md5)
May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE IKEv2:
IKE FIPS (sha sha1)
May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE IKEv2:
IKE FIPS (sha2 sha256 sha2_256)
May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE IKEv2:
IKE FIPS (sha384 sha2_384)
May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE IKEv2:
IKE FIPS (sha512 sha2_512)
May 26 19:21:26.130328: AES_XCBC IKEv1: IKEv2:
IKE FIPS (aes128_xcbc)
May 26 19:21:26.130338: Integrity algorithms:
May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (md5 hmac_md5)
May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE
ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH IKEv2:
ESP AH FIPS (aes_cmac)
May 26 19:21:26.130370: NONE IKEv1: ESP IKEv2:
ESP FIPS (null)
May 26 19:21:26.130379: DH algorithms:
May 26 19:21:26.130382: NONE IKEv1: IKEv2: IKE
ESP AH (null dh0)
May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (dh2)
May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH (dh5)
May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh14)
May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh15)
May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh16)
May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh17)
May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS (dh18)
May 26 19:21:26.130411: DH19 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_256)
May 26 19:21:26.130414: DH20 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_384)
May 26 19:21:26.130418: DH21 IKEv1: IKE IKEv2: IKE
ESP AH FIPS (ecp_521)
May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS
May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH IKEv2: IKE
ESP AH FIPS
May 26 19:21:26.132693: starting up 7 crypto helpers
May 26 19:21:26.132724: started thread for crypto helper 0
May 26 19:21:26.132740: started thread for crypto helper 1
May 26 19:21:26.132744: seccomp security for crypto helper not supported
May 26 19:21:26.132756: started thread for crypto helper 2
May 26 19:21:26.132762: seccomp security for crypto helper not supported
May 26 19:21:26.132794: started thread for crypto helper 3
May 26 19:21:26.132796: seccomp security for crypto helper not supported
May 26 19:21:26.132814: started thread for crypto helper 4
May 26 19:21:26.132758: seccomp security for crypto helper not supported
May 26 19:21:26.133265: started thread for crypto helper 5
May 26 19:21:26.133267: seccomp security for crypto helper not supported
May 26 19:21:26.133292: started thread for crypto helper 6
May 26 19:21:26.133296: seccomp security for crypto helper not supported
May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code on
4.14.35
May 26 19:21:26.132829: seccomp security for crypto helper not supported
May 26 19:21:26.266276: seccomp security not supported
May 26 19:21:26.267538: added connection description "radius"
May 26 19:21:26.267588: listening for IKE messages
May 26 19:21:26.267609: FATAL ERROR: bind() failed in find_raw_ifaces4().
Errno 98: Address already in use
May 26 19:21:26.267619: "radius": deleting non-instance connection
connect(pluto_ctl) failed: No such file or directory
~ #
Thanks,
Balaji
On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> Thanks Paul.
>
> Another question.
>
> I have integrated Libreswan source code and its dependent binaries to my
> Linux based project. Please note that the Linux OS I have is not a
> full-blown OS but a stripped down version with limited features.
>
> When I try to invoke pluto like this,
>
> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> --stderrlog
> Pluto initialized
> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d
> May 26 18:22:44.640085: Initializing NSS
> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" read-only
> May 26 18:22:44.749626: NSS initialized
> May 26 18:22:44.749643: NSS crypto library initialized
> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]
> May 26 18:22:44.749770: libcap-ng support [enabled]
> May 26 18:22:44.749778: Linux audit support [disabled]
> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25
> XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445
> May 26 18:22:44.749792: core dump dir: /run/pluto
> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets
> May 26 18:22:44.749808: leak-detective disabled
> May 26 18:22:44.749814: NSS crypto [enabled]
> May 26 18:22:44.749819: XAUTH PAM support [disabled]
> May 26 18:22:44.749926: NAT-Traversal support [enabled]
> May 26 18:22:44.749958: Initializing libevent in pthreads mode: headers:
> 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
> May 26 18:22:44.750135: Encryption algorithms:
> May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP
> IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
> May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP
> IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
> May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP
> IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
> May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP IKEv2:
> IKE ESP FIPS [*192] (3des)
> May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP
> IKEv2: ESP {256,192,*128}
> May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP IKEv2:
> IKE ESP {256,192,*128} (camellia)
> May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP IKEv2:
> IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
> May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP IKEv2:
> IKE ESP FIPS {256,192,*128} (aes_gcm_b)
> May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP IKEv2:
> IKE ESP FIPS {256,192,*128} (aes_gcm_a)
> May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP IKEv2:
> IKE ESP FIPS {256,192,*128} (aesctr)
> May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP IKEv2:
> IKE ESP FIPS {256,192,*128} (aes)
> May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP IKEv2:
> IKE ESP {256,192,*128} (serpent)
> May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP IKEv2:
> IKE ESP {256,192,*128} (twofish)
> May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE IKEv2:
> IKE ESP {256,192,*128} (twofish_cbc_ssh)
> May 26 18:22:44.750262: CAST_CBC IKEv1: ESP
> IKEv2: ESP {*128} (cast)
> May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP
> IKEv2: ESP {256,192,*128} (aes_gmac)
> May 26 18:22:44.750287: NULL IKEv1: ESP
> IKEv2: ESP []
> May 26 18:22:44.750298: Hash algorithms:
> May 26 18:22:44.750304: MD5 IKEv1: IKE
> IKEv2:
> May 26 18:22:44.750311: SHA1 IKEv1: IKE
> IKEv2: FIPS (sha)
> May 26 18:22:44.750325: SHA2_256 IKEv1: IKE
> IKEv2: FIPS (sha2 sha256)
> May 26 18:22:44.750333: SHA2_384 IKEv1: IKE
> IKEv2: FIPS (sha384)
> May 26 18:22:44.750340: SHA2_512 IKEv1: IKE
> IKEv2: FIPS (sha512)
> May 26 18:22:44.750354: PRF algorithms:
> May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE IKEv2:
> IKE (md5)
> May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE IKEv2:
> IKE FIPS (sha sha1)
> May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE IKEv2:
> IKE FIPS (sha2 sha256 sha2_256)
> May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE IKEv2:
> IKE FIPS (sha384 sha2_384)
> May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE IKEv2:
> IKE FIPS (sha512 sha2_512)
> May 26 18:22:44.750396: AES_XCBC IKEv1: IKEv2:
> IKE FIPS (aes128_xcbc)
> May 26 18:22:44.750411: Integrity algorithms:
> May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH (md5 hmac_md5)
> May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
> May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
> May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
> May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
> May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH IKEv2:
> IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
> May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH
> IKEv2: ESP AH FIPS (aes_cmac)
> May 26 18:22:44.750466: NONE IKEv1: ESP
> IKEv2: ESP FIPS (null)
> May 26 18:22:44.750491: DH algorithms:
> May 26 18:22:44.750499: NONE IKEv1: IKEv2:
> IKE ESP AH (null dh0)
> May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH (dh2)
> May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH (dh5)
> May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (dh14)
> May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (dh15)
> May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (dh16)
> May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (dh17)
> May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS (dh18)
> May 26 18:22:44.750559: DH19 IKEv1: IKE IKEv2:
> IKE ESP AH FIPS (ecp_256)
> May 26 18:22:44.750566: DH20 IKEv1: IKE IKEv2:
> IKE ESP AH FIPS (ecp_384)
> May 26 18:22:44.750574: DH21 IKEv1: IKE IKEv2:
> IKE ESP AH FIPS (ecp_521)
> May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS
> May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH IKEv2:
> IKE ESP AH FIPS
> May 26 18:22:44.755598: starting up 7 crypto helpers
> May 26 18:22:44.755652: started thread for crypto helper 0
> May 26 18:22:44.755655: seccomp security for crypto helper not supported
> May 26 18:22:44.755689: started thread for crypto helper 1
> May 26 18:22:44.755704: seccomp security for crypto helper not supported
> May 26 18:22:44.755721: started thread for crypto helper 2
> May 26 18:22:44.755723: seccomp security for crypto helper not supported
> May 26 18:22:44.755761: seccomp security for crypto helper not supported
> May 26 18:22:44.755761: started thread for crypto helper 3
> May 26 18:22:44.755798: started thread for crypto helper 4
> May 26 18:22:44.755799: seccomp security for crypto helper not supported
> May 26 18:22:44.755836: seccomp security for crypto helper not supported
> May 26 18:22:44.755836: started thread for crypto helper 5
> May 26 18:22:44.755884: started thread for crypto helper 6
> May 26 18:22:44.755885: seccomp security for crypto helper not supported
> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code on
> 4.14.35
> May 26 18:22:44.927272: seccomp security not supported
> May 26 18:22:44.929155: added connection description "radius"
> May 26 18:22:44.929200: listening for IKE messages
> May 26 18:22:44.929229: FATAL ERROR: bind() failed in find_raw_ifaces4().
> Errno 98: Address already in use
> May 26 18:22:44.929240: "radius": deleting non-instance connection
> connect(pluto_ctl) failed: No such file or directory
> ~ #
>
> I have the following conf file at /etc/ipsec.d/radius.conf
>
> conn radius
> left=10.196.175.174
> leftid=10.196.175.174
> leftsubnet=10.196.175.174/32
> right=10.196.172.114
> rightid=10.196.172.114
> rightsubnet=10.196.172.114/32
> auto=start
>
> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my peer
> IP address where I want to establish an IKE connection to.
>
> ~ # netstat -an | grep 500
> udp 0 0 172.16.20.62:500 0.0.0.0:*
>
> udp 0 0 127.0.0.1:45006 0.0.0.0:*
>
> udp 0 0 172.16.20.62:4500 0.0.0.0:*
>
> unix 2 [ ] DGRAM 50035
>
> ~ # netstat -an | grep 4500
> udp 0 0 127.0.0.1:45006 0.0.0.0:*
>
> udp 0 0 172.16.20.62:4500 0.0.0.0:*
>
> ~ #
>
> I don't see any other application binding to this port from 10.196.172.114
> address.
>
> Any idea on what I am missing here?
>
> Also a related question, if I plan to use VLAN on the network interface in
> future, where do I specify the vlan-id in the Libreswan configuration?
>
> Thanks,
> Balaji
>
>
> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <paul at nohats.ca> wrote:
>
>> Normally, only the “ipsec” command is in a system sbin directory. All sub
>> commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec
>> directory. Those starting with an underscore are deemed “internal only” and
>> should not be called by humans.
>>
>> Sent from my iPhone
>>
>> On May 23, 2020, at 21:29, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
>>
>>
>> Please ignore my question in my previous email. I found that it is in
>> /usr/local/sbin.
>>
>> Thanks,
>> Balaji
>>
>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <tbbalaji at gmail.com>
>> wrote:
>>
>>> Hi Paul,
>>>
>>> Thanks for the continued support.
>>>
>>> I have integrated Libreswan source code with my Linux-based project and
>>> integrated binaries of the Libreswan's dependencies and I am able to build
>>> the project.
>>>
>>> Can I access the ipsec executable in the built Linux project? If so,
>>> where does the ipsec executable typically reside? I could not find it under
>>> /usr/sbin, /usr/libexec/ipsec.
>>>
>>> Any suggestions.
>>>
>>> Thanks,
>>> Balaji
>>>
>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
>>>
>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>>>>
>>>> > I have some general security-policies that just allow the traffic to
>>>> pass through the system (i.e., no IPsec is applied to those traffic). Say
>>>> for example, allow all traffic
>>>> > of of certain source and destination IP and source and destination
>>>> port as 5060 (SIP traffic) not processed by IPsec.
>>>> >
>>>> > In that case, how do I convey this security-policy behavior to
>>>> Libreswan via the script? What parameters need to be configured? Should I
>>>> create a separate connection section?
>>>>
>>>> I would still recommend you do not do this. Double encryption isn't the
>>>> worst these days. Excluding will allow people to see things even if not
>>>> encrypted. For example, TLS still leaks SNI in cleartext.
>>>>
>>>> That said, you can simply create the exceptions by doing:
>>>>
>>>> Individual conn solutions:
>>>>
>>>> conn skip-tls-out
>>>> left=%defaultroute
>>>> right=0.0.0.0
>>>> leftprotoport=tcp/0
>>>> rightprotoport=tcp/443
>>>> authby=never
>>>> auto=route
>>>>
>>>> You would do something similar but flipped for incoming TLS. If there is
>>>> a mismatch of these between hosts, all communication will fail because
>>>> whoever does not have the "cleartext hole" will drop the received clear
>>>> text traffic.
>>>>
>>>> Mesh solution:
>>>>
>>>> When using mesh encryption (Oportunistic IPsec), you can also specify
>>>> the nodes for specific "clear" using protocols and ports. In general,
>>>> longest prefix first wins with these type of rule matchines
>>>>
>>>> # /etc/ipsec.d/policies/private
>>>> 10.0.0.0/8
>>>>
>>>> # /etc/ipsec.d/policies/clear
>>>> 10.0.0.0/24 tcp 0 443
>>>> 1.0.0.0/0 tcp 443 0
>>>>
>>>>
>>>> Paul
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200526/e85071df/attachment-0001.html>
More information about the Swan-dev
mailing list