[Swan-dev] Swan-dev Digest, Vol 88, Issue 27

Eoin Hamdam ehamdam at gmail.com
Sun May 31 15:37:47 UTC 2020


Your psk is only 6 character long which wont work with the encryptions
algorithms selected. Make it up to 32 characters.

On Sun 31 May 2020, 03:53 <swan-dev-request at lists.libreswan.org wrote:

> Send Swan-dev mailing list submissions to
>         swan-dev at lists.libreswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.libreswan.org/mailman/listinfo/swan-dev
> or, via email, send a message with subject or body 'help' to
>         swan-dev-request at lists.libreswan.org
>
> You can reach the person managing the list at
>         swan-dev-owner at lists.libreswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Swan-dev digest..."
>
>
> Today's Topics:
>
>    1. Re: Integrating Libreswan for IKEv2 and IPsec (Paul Wouters)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 30 May 2020 22:52:53 -0400
> From: Paul Wouters <paul at nohats.ca>
> To: Balaji Thoguluva <tbbalaji at gmail.com>
> Cc: swan-dev at lists.libreswan.org
> Subject: Re: [Swan-dev] Integrating Libreswan for IKEv2 and IPsec
> Message-ID: <89F4B7EE-4747-4A45-9C55-79DCF9AD4457 at nohats.ca>
> Content-Type: text/plain; charset="utf-8"
>
> Most of XFRM and ESP
>
> Paul
>
> Sent from my iPhone
>
> > On May 30, 2020, at 21:23, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >
> > ?
> > Hi Paul et al.,
> >
> > If I assume the above error is because the required kernel modules
> required by Libreswan are not included or built with the Linux kernel, can
> anybody refer me to the list of kernel modules that needs to be included
> required by the Libreswan that would avoid this error?
> >
> > If my assumption is not correct, please advise me on how to proceed
> further.
> >
> > Thanks,
> > Balaji
> >
> >> On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <tbbalaji at gmail.com>
> wrote:
> >> Hi All,
> >>
> >> Please ignore my previous question.
> >>
> >> I was able to proceed further. Now I am able to get the IKE negotiation
> going successfully but when it attempts to install SA's to Linux kernel, it
> runs into an error. Here is the pluto logs.
> >>
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2
> parent SA
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE
> proposals for radius (IKE SA initiator selecting KE):
> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1:
> sent v2I1, expected v2R1
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING:
> connection radius PSK length of 6 bytes is too short for sha2_256 PRF in
> FIPS mode (16 bytes required)
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH
> proposals for radius (IKE SA initiator emitting ESP/AH proposals):
> 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2:
> sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128
> prf=sha2_256 group=MODP1536}
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer
> ID is ID_IPV4_ADDR: '10.196.175.174'
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING:
> connection radius PSK length of 6 bytes is too short for sha2_256 PRF in
> FIPS mode (16 bytes required)
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated
> using authby=secret
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink
> response for Add SA esp.ca3c4668 at 10.196.175.174 included errno 93:
> Protocol not supported
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2:
> setup_half_ipsec_sa() hit fail:
>
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state
> (STATE_PARENT_I2) and NOT sending notification
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink
> response for Del SA esp.ca3c4668 at 10.196.175.174 included errno 3: No such
> process
> >>
> >> Am I missing anything and any idea on how to overcome this error?
> >>
> >> Advance thanks.
> >>
> >> Regards,
> >> Balaji
> >>
> >>> On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <tbbalaji at gmail.com>
> wrote:
> >>> I attempted to specify the IP address explicitly as a command line
> argument, but it still fails to bind for some reason. Am I running into
> some permission issue?
> >>>
> >>> ~ # ifconfig
> >>> wancom0   Link encap:Ethernet  HWaddr 00:08:25:A4:09:10
> >>>           inet addr:10.196.172.114  Bcast:10.196.255.255
> Mask:255.255.128.0
> >>>           inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0
> >>>           TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:260061626 (248.0 MiB)  TX bytes:7536742 (7.1 MiB)
> >>>           Memory:f7580000-f75fffff
> >>>
> >>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> --stderrlog
> >>>  --interface 10.196.172.114 --listen 10.196.172.114
> >>> May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114
> >>> Pluto initialized
> >>> May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d
> >>> May 26 19:21:26.049834: Initializing NSS
> >>> May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d"
> read-only
> >>> May 26 19:21:26.129870: NSS initialized
> >>> May 26 19:21:26.129884: NSS crypto library initialized
> >>> May 26 19:21:26.129889: FIPS HMAC integrity support [disabled]
> >>> May 26 19:21:26.129971: libcap-ng support [enabled]
> >>> May 26 19:21:26.129982: Linux audit support [disabled]
> >>> May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25
> XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283
> >>> May 26 19:21:26.129994: core dump dir: /run/pluto
> >>> May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets
> >>> May 26 19:21:26.130003: leak-detective disabled
> >>> May 26 19:21:26.130008: NSS crypto [enabled]
> >>> May 26 19:21:26.130011: XAUTH PAM support [disabled]
> >>> May 26 19:21:26.130058: NAT-Traversal support  [enabled]
> >>> May 26 19:21:26.130077: Initializing libevent in pthreads mode:
> headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
> >>> May 26 19:21:26.130193: Encryption algorithms:
> >>> May 26 19:21:26.130201:   AES_CCM_16          IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
> >>> May 26 19:21:26.130206:   AES_CCM_12          IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
> >>> May 26 19:21:26.130212:   AES_CCM_8           IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
> >>> May 26 19:21:26.130219:   3DES_CBC            IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  [*192]  (3des)
> >>> May 26 19:21:26.130223:   CAMELLIA_CTR        IKEv1:     ESP
>  IKEv2:     ESP           {256,192,*128}
> >>> May 26 19:21:26.130227:   CAMELLIA_CBC        IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (camellia)
> >>> May 26 19:21:26.130231:   AES_GCM_16          IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
> >>> May 26 19:21:26.130236:   AES_GCM_12          IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
> >>> May 26 19:21:26.130239:   AES_GCM_8           IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
> >>> May 26 19:21:26.130245:   AES_CTR             IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
> >>> May 26 19:21:26.130249:   AES_CBC             IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
> >>> May 26 19:21:26.130253:   SERPENT_CBC         IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (serpent)
> >>> May 26 19:21:26.130259:   TWOFISH_CBC         IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (twofish)
> >>> May 26 19:21:26.130263:   TWOFISH_SSH         IKEv1: IKE
>  IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
> >>> May 26 19:21:26.130267:   CAST_CBC            IKEv1:     ESP
>  IKEv2:     ESP           {*128}  (cast)
> >>> May 26 19:21:26.130272:   NULL_AUTH_AES_GMAC  IKEv1:     ESP
>  IKEv2:     ESP           {256,192,*128}  (aes_gmac)
> >>> May 26 19:21:26.130275:   NULL                IKEv1:     ESP
>  IKEv2:     ESP           []
> >>> May 26 19:21:26.130281: Hash algorithms:
> >>> May 26 19:21:26.130285:   MD5                 IKEv1: IKE
>  IKEv2:
> >>> May 26 19:21:26.130289:   SHA1                IKEv1: IKE
>  IKEv2:             FIPS  (sha)
> >>> May 26 19:21:26.130292:   SHA2_256            IKEv1: IKE
>  IKEv2:             FIPS  (sha2 sha256)
> >>> May 26 19:21:26.130295:   SHA2_384            IKEv1: IKE
>  IKEv2:             FIPS  (sha384)
> >>> May 26 19:21:26.130299:   SHA2_512            IKEv1: IKE
>  IKEv2:             FIPS  (sha512)
> >>> May 26 19:21:26.130307: PRF algorithms:
> >>> May 26 19:21:26.130310:   HMAC_MD5            IKEv1: IKE
>  IKEv2: IKE               (md5)
> >>> May 26 19:21:26.130314:   HMAC_SHA1           IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha sha1)
> >>> May 26 19:21:26.130317:   HMAC_SHA2_256       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
> >>> May 26 19:21:26.130321:   HMAC_SHA2_384       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha384 sha2_384)
> >>> May 26 19:21:26.130325:   HMAC_SHA2_512       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha512 sha2_512)
> >>> May 26 19:21:26.130328:   AES_XCBC            IKEv1:
>  IKEv2: IKE         FIPS  (aes128_xcbc)
> >>> May 26 19:21:26.130338: Integrity algorithms:
> >>> May 26 19:21:26.130342:   HMAC_MD5_96         IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (md5 hmac_md5)
> >>> May 26 19:21:26.130346:   HMAC_SHA1_96        IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
> >>> May 26 19:21:26.130350:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
> >>> May 26 19:21:26.130354:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
> >>> May 26 19:21:26.130358:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
> >>> May 26 19:21:26.130363:   AES_XCBC_96         IKEv1:     ESP AH
> IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
> >>> May 26 19:21:26.130366:   AES_CMAC_96         IKEv1:     ESP AH
> IKEv2:     ESP AH  FIPS  (aes_cmac)
> >>> May 26 19:21:26.130370:   NONE                IKEv1:     ESP
>  IKEv2:     ESP     FIPS  (null)
> >>> May 26 19:21:26.130379: DH algorithms:
> >>> May 26 19:21:26.130382:   NONE                IKEv1:
>  IKEv2: IKE ESP AH        (null dh0)
> >>> May 26 19:21:26.130386:   MODP1024            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (dh2)
> >>> May 26 19:21:26.130389:   MODP1536            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (dh5)
> >>> May 26 19:21:26.130393:   MODP2048            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh14)
> >>> May 26 19:21:26.130396:   MODP3072            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh15)
> >>> May 26 19:21:26.130400:   MODP4096            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh16)
> >>> May 26 19:21:26.130403:   MODP6144            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh17)
> >>> May 26 19:21:26.130407:   MODP8192            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh18)
> >>> May 26 19:21:26.130411:   DH19                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_256)
> >>> May 26 19:21:26.130414:   DH20                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_384)
> >>> May 26 19:21:26.130418:   DH21                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_521)
> >>> May 26 19:21:26.130422:   DH23                IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS
> >>> May 26 19:21:26.130425:   DH24                IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS
> >>> May 26 19:21:26.132693: starting up 7 crypto helpers
> >>> May 26 19:21:26.132724: started thread for crypto helper 0
> >>> May 26 19:21:26.132740: started thread for crypto helper 1
> >>> May 26 19:21:26.132744: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.132756: started thread for crypto helper 2
> >>> May 26 19:21:26.132762: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.132794: started thread for crypto helper 3
> >>> May 26 19:21:26.132796: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.132814: started thread for crypto helper 4
> >>> May 26 19:21:26.132758: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.133265: started thread for crypto helper 5
> >>> May 26 19:21:26.133267: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.133292: started thread for crypto helper 6
> >>> May 26 19:21:26.133296: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code
> on 4.14.35
> >>> May 26 19:21:26.132829: seccomp security for crypto helper not
> supported
> >>> May 26 19:21:26.266276: seccomp security not supported
> >>> May 26 19:21:26.267538: added connection description "radius"
> >>> May 26 19:21:26.267588: listening for IKE messages
> >>> May 26 19:21:26.267609: FATAL ERROR: bind() failed in
> find_raw_ifaces4(). Errno 98: Address already in use
> >>> May 26 19:21:26.267619: "radius": deleting non-instance connection
> >>> connect(pluto_ctl) failed: No such file or directory
> >>> ~ #
> >>>
> >>> Thanks,
> >>> Balaji
> >>>
> >>>> On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <tbbalaji at gmail.com>
> wrote:
> >>>> Thanks Paul.
> >>>>
> >>>> Another question.
> >>>>
> >>>> I have integrated Libreswan source code and its dependent binaries to
> my Linux based project. Please note that the Linux OS I have is not a
> full-blown OS but a stripped down version with limited features.
> >>>>
> >>>> When I try to invoke pluto like this,
> >>>>
> >>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> --stderrlog
> >>>> Pluto initialized
> >>>> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d
> >>>> May 26 18:22:44.640085: Initializing NSS
> >>>> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d"
> read-only
> >>>> May 26 18:22:44.749626: NSS initialized
> >>>> May 26 18:22:44.749643: NSS crypto library initialized
> >>>> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]
> >>>> May 26 18:22:44.749770: libcap-ng support [enabled]
> >>>> May 26 18:22:44.749778: Linux audit support [disabled]
> >>>> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25
> XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445
> >>>> May 26 18:22:44.749792: core dump dir: /run/pluto
> >>>> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets
> >>>> May 26 18:22:44.749808: leak-detective disabled
> >>>> May 26 18:22:44.749814: NSS crypto [enabled]
> >>>> May 26 18:22:44.749819: XAUTH PAM support [disabled]
> >>>> May 26 18:22:44.749926: NAT-Traversal support  [enabled]
> >>>> May 26 18:22:44.749958: Initializing libevent in pthreads mode:
> headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
> >>>> May 26 18:22:44.750135: Encryption algorithms:
> >>>> May 26 18:22:44.750148:   AES_CCM_16          IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
> >>>> May 26 18:22:44.750156:   AES_CCM_12          IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
> >>>> May 26 18:22:44.750164:   AES_CCM_8           IKEv1:     ESP
>  IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
> >>>> May 26 18:22:44.750174:   3DES_CBC            IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  [*192]  (3des)
> >>>> May 26 18:22:44.750182:   CAMELLIA_CTR        IKEv1:     ESP
>  IKEv2:     ESP           {256,192,*128}
> >>>> May 26 18:22:44.750190:   CAMELLIA_CBC        IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (camellia)
> >>>> May 26 18:22:44.750198:   AES_GCM_16          IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
> >>>> May 26 18:22:44.750206:   AES_GCM_12          IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
> >>>> May 26 18:22:44.750213:   AES_GCM_8           IKEv1:     ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
> >>>> May 26 18:22:44.750224:   AES_CTR             IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
> >>>> May 26 18:22:44.750231:   AES_CBC             IKEv1: IKE ESP
>  IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
> >>>> May 26 18:22:44.750240:   SERPENT_CBC         IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (serpent)
> >>>> May 26 18:22:44.750248:   TWOFISH_CBC         IKEv1: IKE ESP
>  IKEv2: IKE ESP           {256,192,*128}  (twofish)
> >>>> May 26 18:22:44.750255:   TWOFISH_SSH         IKEv1: IKE
>  IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
> >>>> May 26 18:22:44.750262:   CAST_CBC            IKEv1:     ESP
>  IKEv2:     ESP           {*128}  (cast)
> >>>> May 26 18:22:44.750280:   NULL_AUTH_AES_GMAC  IKEv1:     ESP
>  IKEv2:     ESP           {256,192,*128}  (aes_gmac)
> >>>> May 26 18:22:44.750287:   NULL                IKEv1:     ESP
>  IKEv2:     ESP           []
> >>>> May 26 18:22:44.750298: Hash algorithms:
> >>>> May 26 18:22:44.750304:   MD5                 IKEv1: IKE
>  IKEv2:
> >>>> May 26 18:22:44.750311:   SHA1                IKEv1: IKE
>  IKEv2:             FIPS  (sha)
> >>>> May 26 18:22:44.750325:   SHA2_256            IKEv1: IKE
>  IKEv2:             FIPS  (sha2 sha256)
> >>>> May 26 18:22:44.750333:   SHA2_384            IKEv1: IKE
>  IKEv2:             FIPS  (sha384)
> >>>> May 26 18:22:44.750340:   SHA2_512            IKEv1: IKE
>  IKEv2:             FIPS  (sha512)
> >>>> May 26 18:22:44.750354: PRF algorithms:
> >>>> May 26 18:22:44.750360:   HMAC_MD5            IKEv1: IKE
>  IKEv2: IKE               (md5)
> >>>> May 26 18:22:44.750369:   HMAC_SHA1           IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha sha1)
> >>>> May 26 18:22:44.750377:   HMAC_SHA2_256       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
> >>>> May 26 18:22:44.750383:   HMAC_SHA2_384       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha384 sha2_384)
> >>>> May 26 18:22:44.750389:   HMAC_SHA2_512       IKEv1: IKE
>  IKEv2: IKE         FIPS  (sha512 sha2_512)
> >>>> May 26 18:22:44.750396:   AES_XCBC            IKEv1:
>  IKEv2: IKE         FIPS  (aes128_xcbc)
> >>>> May 26 18:22:44.750411: Integrity algorithms:
> >>>> May 26 18:22:44.750420:   HMAC_MD5_96         IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (md5 hmac_md5)
> >>>> May 26 18:22:44.750426:   HMAC_SHA1_96        IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
> >>>> May 26 18:22:44.750432:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
> >>>> May 26 18:22:44.750439:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
> >>>> May 26 18:22:44.750447:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
> >>>> May 26 18:22:44.750453:   AES_XCBC_96         IKEv1:     ESP AH
> IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
> >>>> May 26 18:22:44.750460:   AES_CMAC_96         IKEv1:     ESP AH
> IKEv2:     ESP AH  FIPS  (aes_cmac)
> >>>> May 26 18:22:44.750466:   NONE                IKEv1:     ESP
>  IKEv2:     ESP     FIPS  (null)
> >>>> May 26 18:22:44.750491: DH algorithms:
> >>>> May 26 18:22:44.750499:   NONE                IKEv1:
>  IKEv2: IKE ESP AH        (null dh0)
> >>>> May 26 18:22:44.750506:   MODP1024            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (dh2)
> >>>> May 26 18:22:44.750513:   MODP1536            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH        (dh5)
> >>>> May 26 18:22:44.750527:   MODP2048            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh14)
> >>>> May 26 18:22:44.750534:   MODP3072            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh15)
> >>>> May 26 18:22:44.750540:   MODP4096            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh16)
> >>>> May 26 18:22:44.750546:   MODP6144            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh17)
> >>>> May 26 18:22:44.750552:   MODP8192            IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS  (dh18)
> >>>> May 26 18:22:44.750559:   DH19                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_256)
> >>>> May 26 18:22:44.750566:   DH20                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_384)
> >>>> May 26 18:22:44.750574:   DH21                IKEv1: IKE
>  IKEv2: IKE ESP AH  FIPS  (ecp_521)
> >>>> May 26 18:22:44.750579:   DH23                IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS
> >>>> May 26 18:22:44.750586:   DH24                IKEv1: IKE ESP AH
> IKEv2: IKE ESP AH  FIPS
> >>>> May 26 18:22:44.755598: starting up 7 crypto helpers
> >>>> May 26 18:22:44.755652: started thread for crypto helper 0
> >>>> May 26 18:22:44.755655: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755689: started thread for crypto helper 1
> >>>> May 26 18:22:44.755704: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755721: started thread for crypto helper 2
> >>>> May 26 18:22:44.755723: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755761: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755761: started thread for crypto helper 3
> >>>> May 26 18:22:44.755798: started thread for crypto helper 4
> >>>> May 26 18:22:44.755799: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755836: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755836: started thread for crypto helper 5
> >>>> May 26 18:22:44.755884: started thread for crypto helper 6
> >>>> May 26 18:22:44.755885: seccomp security for crypto helper not
> supported
> >>>> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code
> on 4.14.35
> >>>> May 26 18:22:44.927272: seccomp security not supported
> >>>> May 26 18:22:44.929155: added connection description "radius"
> >>>> May 26 18:22:44.929200: listening for IKE messages
> >>>> May 26 18:22:44.929229: FATAL ERROR: bind() failed in
> find_raw_ifaces4(). Errno 98: Address already in use
> >>>> May 26 18:22:44.929240: "radius": deleting non-instance connection
> >>>> connect(pluto_ctl) failed: No such file or directory
> >>>> ~ #
> >>>>
> >>>> I have the following conf file at /etc/ipsec.d/radius.conf
> >>>>
> >>>> conn radius
> >>>>         left=10.196.175.174
> >>>>         leftid=10.196.175.174
> >>>>         leftsubnet=10.196.175.174/32
> >>>>         right=10.196.172.114
> >>>>         rightid=10.196.172.114
> >>>>         rightsubnet=10.196.172.114/32
> >>>>         auto=start
> >>>>
> >>>> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my
> peer IP address where I want to establish an IKE connection to.
> >>>>
> >>>> ~ # netstat -an | grep 500
> >>>> udp        0      0 172.16.20.62:500        0.0.0.0:*
>
> >>>> udp        0      0 127.0.0.1:45006         0.0.0.0:*
>
> >>>> udp        0      0 172.16.20.62:4500       0.0.0.0:*
>
> >>>> unix  2      [ ]         DGRAM                     50035
> >>>>
> >>>> ~ # netstat -an | grep 4500
> >>>> udp        0      0 127.0.0.1:45006         0.0.0.0:*
>
> >>>> udp        0      0 172.16.20.62:4500       0.0.0.0:*
>
> >>>> ~ #
> >>>>
> >>>> I don't see any other application binding to this port from
> 10.196.172.114 address.
> >>>>
> >>>> Any idea on what I am missing here?
> >>>>
> >>>> Also a related question, if I plan to use VLAN on the network
> interface in future, where do I specify the vlan-id in the Libreswan
> configuration?
> >>>>
> >>>> Thanks,
> >>>> Balaji
> >>>>
> >>>>
> >>>>> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <paul at nohats.ca>
> wrote:
> >>>>> Normally, only the ?ipsec? command is in a system sbin directory.
> All sub commands, like ?ipsec pluto? or ?ipsec auto? are in the
> libexec/ipsec directory. Those starting with an underscore are deemed
> ?internal only? and should not be called by humans.
> >>>>>
> >>>>> Sent from my iPhone
> >>>>>
> >>>>>>> On May 23, 2020, at 21:29, Balaji Thoguluva <tbbalaji at gmail.com>
> wrote:
> >>>>>>>
> >>>>>> ?
> >>>>>> Please ignore my question in my previous email. I found that it is
> in /usr/local/sbin.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Balaji
> >>>>>>
> >>>>>>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <
> tbbalaji at gmail.com> wrote:
> >>>>>>> Hi Paul,
> >>>>>>>
> >>>>>>> Thanks for the continued support.
> >>>>>>>
> >>>>>>> I have integrated Libreswan source code with my Linux-based
> project and integrated binaries of the Libreswan's dependencies and I am
> able to build the project.
> >>>>>>>
> >>>>>>> Can I access the ipsec executable in the built Linux project? If
> so, where does the ipsec executable typically reside? I could not find it
> under /usr/sbin, /usr/libexec/ipsec.
> >>>>>>>
> >>>>>>> Any suggestions.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Balaji
> >>>>>>>
> >>>>>>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca>
> wrote:
> >>>>>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
> >>>>>>>>
> >>>>>>>> > I have some general security-policies that just allow the
> traffic to pass through the system (i.e., no IPsec is applied to those
> traffic). Say for example, allow all traffic
> >>>>>>>> > of of certain source and destination IP and source and
> destination port as 5060 (SIP traffic) not processed by IPsec.
> >>>>>>>> >
> >>>>>>>> > In that case, how do I convey this security-policy behavior to
> Libreswan via the script? What parameters need to be configured? Should I
> create a separate connection section?
> >>>>>>>>
> >>>>>>>> I would still recommend you do not do this. Double encryption
> isn't the
> >>>>>>>> worst these days. Excluding will allow people to see things even
> if not
> >>>>>>>> encrypted. For example, TLS still leaks SNI in cleartext.
> >>>>>>>>
> >>>>>>>> That said, you can simply create the exceptions by doing:
> >>>>>>>>
> >>>>>>>> Individual conn solutions:
> >>>>>>>>
> >>>>>>>> conn skip-tls-out
> >>>>>>>>         left=%defaultroute
> >>>>>>>>         right=0.0.0.0
> >>>>>>>>         leftprotoport=tcp/0
> >>>>>>>>         rightprotoport=tcp/443
> >>>>>>>>         authby=never
> >>>>>>>>         auto=route
> >>>>>>>>
> >>>>>>>> You would do something similar but flipped for incoming TLS. If
> there is
> >>>>>>>> a mismatch of these between hosts, all communication will fail
> because
> >>>>>>>> whoever does not have the "cleartext hole" will drop the received
> clear
> >>>>>>>> text traffic.
> >>>>>>>>
> >>>>>>>> Mesh solution:
> >>>>>>>>
> >>>>>>>> When using mesh encryption (Oportunistic IPsec), you can also
> specify
> >>>>>>>> the nodes for specific "clear" using protocols and ports. In
> general,
> >>>>>>>> longest prefix first wins with these type of rule matchines
> >>>>>>>>
> >>>>>>>> # /etc/ipsec.d/policies/private
> >>>>>>>> 10.0.0.0/8
> >>>>>>>>
> >>>>>>>> # /etc/ipsec.d/policies/clear
> >>>>>>>> 10.0.0.0/24  tcp  0  443
> >>>>>>>> 1.0.0.0/0    tcp  443  0
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Paul
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.libreswan.org/pipermail/swan-dev/attachments/20200530/3a76aade/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
>
> ------------------------------
>
> End of Swan-dev Digest, Vol 88, Issue 27
> ****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200531/722058ae/attachment-0001.html>


More information about the Swan-dev mailing list