[Swan-dev] Swan-dev Digest, Vol 88, Issue 27
Paul Wouters
paul at nohats.ca
Sun May 31 16:19:45 UTC 2020
On Sun, 31 May 2020, Eoin Hamdam wrote:
> Your psk is only 6 character long which wont work with the encryptions algorithms selected. Make it up to 32
> characters.
That is only fatal in FIPS mode. It is a warning in non-FIPS mode.
We have had debates about mandating a minimum requirement in length or
strength, but developers are of mixed mind. People who want to do
unsafe things will do them anyway.
Paul
> On Sun 31 May 2020, 03:53 <swan-dev-request at lists.libreswan.org wrote:
> Send Swan-dev mailing list submissions to
> swan-dev at lists.libreswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.libreswan.org/mailman/listinfo/swan-dev
> or, via email, send a message with subject or body 'help' to
> swan-dev-request at lists.libreswan.org
>
> You can reach the person managing the list at
> swan-dev-owner at lists.libreswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Swan-dev digest..."
>
>
> Today's Topics:
>
> 1. Re: Integrating Libreswan for IKEv2 and IPsec (Paul Wouters)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 30 May 2020 22:52:53 -0400
> From: Paul Wouters <paul at nohats.ca>
> To: Balaji Thoguluva <tbbalaji at gmail.com>
> Cc: swan-dev at lists.libreswan.org
> Subject: Re: [Swan-dev] Integrating Libreswan for IKEv2 and IPsec
> Message-ID: <89F4B7EE-4747-4A45-9C55-79DCF9AD4457 at nohats.ca>
> Content-Type: text/plain; charset="utf-8"
>
> Most of XFRM and ESP
>
> Paul
>
> Sent from my iPhone
>
> > On May 30, 2020, at 21:23, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >
> > ?
> > Hi Paul et al.,
> >
> > If I assume the above error is because the required kernel modules required by Libreswan are not
> included or built with the Linux kernel, can anybody refer me to the list of kernel modules that needs
> to be included required by the Libreswan that would avoid this error?
> >
> > If my assumption is not correct, please advise me on how to proceed further.
> >
> > Thanks,
> > Balaji
> >
> >> On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >> Hi All,
> >>
> >> Please ignore my previous question.
> >>
> >> I was able to proceed further. Now I am able to get the IKE negotiation going successfully but when
> it attempts to install SA's to Linux kernel, it runs into an error. Here is the pluto logs.
> >>
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2 parent SA
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE proposals for radius (IKE SA
> initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING: connection radius PSK length of 6
> bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH proposals for radius (IKE SA
> initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2: sent v2I2, expected v2R2
> {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP1536}
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer ID is ID_IPV4_ADDR:
> '10.196.175.174'
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING: connection radius PSK length of 6
> bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated using authby=secret
>
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink response for Add SA
> esp.ca3c4668 at 10.196.175.174 included errno 93: Protocol not supported
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: setup_half_ipsec_sa() hit fail:
>
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state (STATE_PARENT_I2) and NOT
> sending notification
> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink response for Del SA
> esp.ca3c4668 at 10.196.175.174 included errno 3: No such process
> >>
> >> Am I missing anything and any idea on how to overcome this error?
> >>
> >> Advance thanks.
> >>
> >> Regards,
> >> Balaji
> >>
> >>> On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >>> I attempted to specify the IP address explicitly as a command line argument, but it still fails to
> bind for some reason. Am I running into some permission issue?
> >>>
> >>> ~ # ifconfig
> >>> wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10
> >>> inet addr:10.196.172.114 Bcast:10.196.255.255 Mask:255.255.128.0
> >>> inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0
> >>> TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB)
> >>> Memory:f7580000-f75fffff
> >>>
> >>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork --stderrlog
> >>> --interface 10.196.172.114 --listen 10.196.172.114
> >>> May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114
> >>> Pluto initialized
> >>> May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d
> >>> May 26 19:21:26.049834: Initializing NSS
> >>> May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d" read-only
> >>> May 26 19:21:26.129870: NSS initialized
> >>> May 26 19:21:26.129884: NSS crypto library initialized
> >>> May 26 19:21:26.129889: FIPS HMAC integrity support [disabled]
> >>> May 26 19:21:26.129971: libcap-ng support [enabled]
> >>> May 26 19:21:26.129982: Linux audit support [disabled]
> >>> May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) FORK
> PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283
> >>> May 26 19:21:26.129994: core dump dir: /run/pluto
> >>> May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets
> >>> May 26 19:21:26.130003: leak-detective disabled
> >>> May 26 19:21:26.130008: NSS crypto [enabled]
> >>> May 26 19:21:26.130011: XAUTH PAM support [disabled]
> >>> May 26 19:21:26.130058: NAT-Traversal support [enabled]
> >>> May 26 19:21:26.130077: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500);
> library: 2.0.21-stable (2001500)
> >>> May 26 19:21:26.130193: Encryption algorithms:
> >>> May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm aes_ccm_c)
> >>> May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm_b)
> >>> May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm_a)
> >>> May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192]
> (3des)
> >>> May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP
> {256,192,*128}
> >>> May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (camellia)
> >>> May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm aes_gcm_c)
> >>> May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm_b)
> >>> May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm_a)
> >>> May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aesctr)
> >>> May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes)
> >>> May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (serpent)
> >>> May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (twofish)
> >>> May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP
> {256,192,*128} (twofish_cbc_ssh)
> >>> May 26 19:21:26.130267: CAST_CBC IKEv1: ESP IKEv2: ESP {*128}
> (cast)
> >>> May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP
> {256,192,*128} (aes_gmac)
> >>> May 26 19:21:26.130275: NULL IKEv1: ESP IKEv2: ESP []
> >>> May 26 19:21:26.130281: Hash algorithms:
> >>> May 26 19:21:26.130285: MD5 IKEv1: IKE IKEv2:
> >>> May 26 19:21:26.130289: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
> >>> May 26 19:21:26.130292: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2
> sha256)
> >>> May 26 19:21:26.130295: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
> >>> May 26 19:21:26.130299: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
> >>> May 26 19:21:26.130307: PRF algorithms:
> >>> May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
> >>> May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha
> sha1)
> >>> May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2
> sha256 sha2_256)
> >>> May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384
> sha2_384)
> >>> May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512
> sha2_512)
> >>> May 26 19:21:26.130328: AES_XCBC IKEv1: IKEv2: IKE FIPS
> (aes128_xcbc)
> >>> May 26 19:21:26.130338: Integrity algorithms:
> >>> May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5
> hmac_md5)
> >>> May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha
> sha1 sha1_96 hmac_sha1)
> >>> May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512
> sha2_512 hmac_sha2_512)
> >>> May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384
> sha2_384 hmac_sha2_384)
> >>> May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2
> sha256 sha2_256 hmac_sha2_256)
> >>> May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS
> (aes_xcbc aes128_xcbc aes128_xcbc_96)
> >>> May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS
> (aes_cmac)
> >>> May 26 19:21:26.130370: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
> >>> May 26 19:21:26.130379: DH algorithms:
> >>> May 26 19:21:26.130382: NONE IKEv1: IKEv2: IKE ESP AH (null
> dh0)
> >>> May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
> >>> May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
> >>> May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
> >>> May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
> >>> May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
> >>> May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
> >>> May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
> >>> May 26 19:21:26.130411: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_256)
> >>> May 26 19:21:26.130414: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_384)
> >>> May 26 19:21:26.130418: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_521)
> >>> May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
> >>> May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
> >>> May 26 19:21:26.132693: starting up 7 crypto helpers
> >>> May 26 19:21:26.132724: started thread for crypto helper 0
> >>> May 26 19:21:26.132740: started thread for crypto helper 1
> >>> May 26 19:21:26.132744: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.132756: started thread for crypto helper 2
> >>> May 26 19:21:26.132762: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.132794: started thread for crypto helper 3
> >>> May 26 19:21:26.132796: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.132814: started thread for crypto helper 4
> >>> May 26 19:21:26.132758: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.133265: started thread for crypto helper 5
> >>> May 26 19:21:26.133267: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.133292: started thread for crypto helper 6
> >>> May 26 19:21:26.133296: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code on 4.14.35
> >>> May 26 19:21:26.132829: seccomp security for crypto helper not supported
> >>> May 26 19:21:26.266276: seccomp security not supported
> >>> May 26 19:21:26.267538: added connection description "radius"
> >>> May 26 19:21:26.267588: listening for IKE messages
> >>> May 26 19:21:26.267609: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address
> already in use
> >>> May 26 19:21:26.267619: "radius": deleting non-instance connection
> >>> connect(pluto_ctl) failed: No such file or directory
> >>> ~ #
> >>>
> >>> Thanks,
> >>> Balaji
> >>>
> >>>> On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >>>> Thanks Paul.
> >>>>
> >>>> Another question.
> >>>>
> >>>> I have integrated Libreswan source code and its dependent binaries to my Linux based project.
> Please note that the Linux OS I have is not a full-blown OS but a stripped down version with limited
> features.
> >>>>
> >>>> When I try to invoke pluto like this,
> >>>>
> >>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork --stderrlog
> >>>> Pluto initialized
> >>>> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d
> >>>> May 26 18:22:44.640085: Initializing NSS
> >>>> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" read-only
> >>>> May 26 18:22:44.749626: NSS initialized
> >>>> May 26 18:22:44.749643: NSS crypto library initialized
> >>>> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]
> >>>> May 26 18:22:44.749770: libcap-ng support [enabled]
> >>>> May 26 18:22:44.749778: Linux audit support [disabled]
> >>>> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) FORK
> PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445
> >>>> May 26 18:22:44.749792: core dump dir: /run/pluto
> >>>> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets
> >>>> May 26 18:22:44.749808: leak-detective disabled
> >>>> May 26 18:22:44.749814: NSS crypto [enabled]
> >>>> May 26 18:22:44.749819: XAUTH PAM support [disabled]
> >>>> May 26 18:22:44.749926: NAT-Traversal support [enabled]
> >>>> May 26 18:22:44.749958: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500);
> library: 2.0.21-stable (2001500)
> >>>> May 26 18:22:44.750135: Encryption algorithms:
> >>>> May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm aes_ccm_c)
> >>>> May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm_b)
> >>>> May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS
> {256,192,*128} (aes_ccm_a)
> >>>> May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192]
> (3des)
> >>>> May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP
> {256,192,*128}
> >>>> May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (camellia)
> >>>> May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm aes_gcm_c)
> >>>> May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm_b)
> >>>> May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes_gcm_a)
> >>>> May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aesctr)
> >>>> May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS
> {256,192,*128} (aes)
> >>>> May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (serpent)
> >>>> May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP
> {256,192,*128} (twofish)
> >>>> May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP
> {256,192,*128} (twofish_cbc_ssh)
> >>>> May 26 18:22:44.750262: CAST_CBC IKEv1: ESP IKEv2: ESP {*128}
> (cast)
> >>>> May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP
> {256,192,*128} (aes_gmac)
> >>>> May 26 18:22:44.750287: NULL IKEv1: ESP IKEv2: ESP []
> >>>> May 26 18:22:44.750298: Hash algorithms:
> >>>> May 26 18:22:44.750304: MD5 IKEv1: IKE IKEv2:
> >>>> May 26 18:22:44.750311: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
> >>>> May 26 18:22:44.750325: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2
> sha256)
> >>>> May 26 18:22:44.750333: SHA2_384 IKEv1: IKE IKEv2: FIPS
> (sha384)
> >>>> May 26 18:22:44.750340: SHA2_512 IKEv1: IKE IKEv2: FIPS
> (sha512)
> >>>> May 26 18:22:44.750354: PRF algorithms:
> >>>> May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
> >>>> May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha
> sha1)
> >>>> May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2
> sha256 sha2_256)
> >>>> May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384
> sha2_384)
> >>>> May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512
> sha2_512)
> >>>> May 26 18:22:44.750396: AES_XCBC IKEv1: IKEv2: IKE FIPS
> (aes128_xcbc)
> >>>> May 26 18:22:44.750411: Integrity algorithms:
> >>>> May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5
> hmac_md5)
> >>>> May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha
> sha1 sha1_96 hmac_sha1)
> >>>> May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512
> sha2_512 hmac_sha2_512)
> >>>> May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384
> sha2_384 hmac_sha2_384)
> >>>> May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2
> sha256 sha2_256 hmac_sha2_256)
> >>>> May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS
> (aes_xcbc aes128_xcbc aes128_xcbc_96)
> >>>> May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS
> (aes_cmac)
> >>>> May 26 18:22:44.750466: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
> >>>> May 26 18:22:44.750491: DH algorithms:
> >>>> May 26 18:22:44.750499: NONE IKEv1: IKEv2: IKE ESP AH (null
> dh0)
> >>>> May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
> >>>> May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
> >>>> May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
> >>>> May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
> >>>> May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
> >>>> May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
> >>>> May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
> >>>> May 26 18:22:44.750559: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_256)
> >>>> May 26 18:22:44.750566: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_384)
> >>>> May 26 18:22:44.750574: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS
> (ecp_521)
> >>>> May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
> >>>> May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
> >>>> May 26 18:22:44.755598: starting up 7 crypto helpers
> >>>> May 26 18:22:44.755652: started thread for crypto helper 0
> >>>> May 26 18:22:44.755655: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755689: started thread for crypto helper 1
> >>>> May 26 18:22:44.755704: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755721: started thread for crypto helper 2
> >>>> May 26 18:22:44.755723: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755761: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755761: started thread for crypto helper 3
> >>>> May 26 18:22:44.755798: started thread for crypto helper 4
> >>>> May 26 18:22:44.755799: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755836: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755836: started thread for crypto helper 5
> >>>> May 26 18:22:44.755884: started thread for crypto helper 6
> >>>> May 26 18:22:44.755885: seccomp security for crypto helper not supported
> >>>> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code on 4.14.35
> >>>> May 26 18:22:44.927272: seccomp security not supported
> >>>> May 26 18:22:44.929155: added connection description "radius"
> >>>> May 26 18:22:44.929200: listening for IKE messages
> >>>> May 26 18:22:44.929229: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address
> already in use
> >>>> May 26 18:22:44.929240: "radius": deleting non-instance connection
> >>>> connect(pluto_ctl) failed: No such file or directory
> >>>> ~ #
> >>>>
> >>>> I have the following conf file at /etc/ipsec.d/radius.conf
> >>>>
> >>>> conn radius
> >>>> left=10.196.175.174
> >>>> leftid=10.196.175.174
> >>>> leftsubnet=10.196.175.174/32
> >>>> right=10.196.172.114
> >>>> rightid=10.196.172.114
> >>>> rightsubnet=10.196.172.114/32
> >>>> auto=start
> >>>>
> >>>> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my peer IP address where I want
> to establish an IKE connection to.
> >>>>
> >>>> ~ # netstat -an | grep 500
> >>>> udp 0 0 172.16.20.62:500 0.0.0.0:*
> >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:*
> >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:*
> >>>> unix 2 [ ] DGRAM 50035
> >>>>
> >>>> ~ # netstat -an | grep 4500
> >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:*
> >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:*
> >>>> ~ #
> >>>>
> >>>> I don't see any other application binding to this port from 10.196.172.114 address.
> >>>>
> >>>> Any idea on what I am missing here?
> >>>>
> >>>> Also a related question, if I plan to use VLAN on the network interface in future, where do I
> specify the vlan-id in the Libreswan configuration?
> >>>>
> >>>> Thanks,
> >>>> Balaji
> >>>>
> >>>>
> >>>>> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <paul at nohats.ca> wrote:
> >>>>> Normally, only the ?ipsec? command is in a system sbin directory. All sub commands, like ?ipsec
> pluto? or ?ipsec auto? are in the libexec/ipsec directory. Those starting with an underscore are
> deemed ?internal only? and should not be called by humans.
> >>>>>
> >>>>> Sent from my iPhone
> >>>>>
> >>>>>>> On May 23, 2020, at 21:29, Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >>>>>>>
> >>>>>> ?
> >>>>>> Please ignore my question in my previous email. I found that it is in /usr/local/sbin.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Balaji
> >>>>>>
> >>>>>>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:
> >>>>>>> Hi Paul,
> >>>>>>>
> >>>>>>> Thanks for the continued support.
> >>>>>>>
> >>>>>>> I have integrated Libreswan source code with my Linux-based project and integrated binaries of
> the Libreswan's dependencies and I am able to build the project.
> >>>>>>>
> >>>>>>> Can I access the ipsec executable in the built Linux project? If so, where does the ipsec
> executable typically reside? I could not find it under /usr/sbin, /usr/libexec/ipsec.
> >>>>>>>
> >>>>>>> Any suggestions.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Balaji
> >>>>>>>
> >>>>>>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <paul at nohats.ca> wrote:
> >>>>>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
> >>>>>>>>
> >>>>>>>> > I have some general security-policies that just allow the traffic to pass through the
> system (i.e., no IPsec is applied to those traffic). Say for example, allow all traffic
> >>>>>>>> > of of certain source and destination IP and source and destination port as 5060 (SIP
> traffic) not processed by IPsec.
> >>>>>>>> >
> >>>>>>>> > In that case, how do I convey this security-policy behavior to Libreswan via the script?
> What parameters need to be configured? Should I create a separate connection section?
> >>>>>>>>
> >>>>>>>> I would still recommend you do not do this. Double encryption isn't the
> >>>>>>>> worst these days. Excluding will allow people to see things even if not
> >>>>>>>> encrypted. For example, TLS still leaks SNI in cleartext.
> >>>>>>>>
> >>>>>>>> That said, you can simply create the exceptions by doing:
> >>>>>>>>
> >>>>>>>> Individual conn solutions:
> >>>>>>>>
> >>>>>>>> conn skip-tls-out
> >>>>>>>> left=%defaultroute
> >>>>>>>> right=0.0.0.0
> >>>>>>>> leftprotoport=tcp/0
> >>>>>>>> rightprotoport=tcp/443
> >>>>>>>> authby=never
> >>>>>>>> auto=route
> >>>>>>>>
> >>>>>>>> You would do something similar but flipped for incoming TLS. If there is
> >>>>>>>> a mismatch of these between hosts, all communication will fail because
> >>>>>>>> whoever does not have the "cleartext hole" will drop the received clear
> >>>>>>>> text traffic.
> >>>>>>>>
> >>>>>>>> Mesh solution:
> >>>>>>>>
> >>>>>>>> When using mesh encryption (Oportunistic IPsec), you can also specify
> >>>>>>>> the nodes for specific "clear" using protocols and ports. In general,
> >>>>>>>> longest prefix first wins with these type of rule matchines
> >>>>>>>>
> >>>>>>>> # /etc/ipsec.d/policies/private
> >>>>>>>> 10.0.0.0/8
> >>>>>>>>
> >>>>>>>> # /etc/ipsec.d/policies/clear
> >>>>>>>> 10.0.0.0/24 tcp 0 443
> >>>>>>>> 1.0.0.0/0 tcp 443 0
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Paul
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200530/3a76aade/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
>
> ------------------------------
>
> End of Swan-dev Digest, Vol 88, Issue 27
> ****************************************
>
>
>
More information about the Swan-dev
mailing list