<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Most of XFRM and ESP <div><br></div><div>Paul<br><br><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On May 30, 2020, at 21:23, Balaji Thoguluva <tbbalaji@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div>Hi Paul et al.,</div><div><br></div><div>If I assume the above error is because the required kernel modules required by Libreswan are not included or built with the Linux kernel, can anybody refer me to the list of kernel modules that needs to be included required by the Libreswan that would avoid this error? </div><div><br></div><div>If my assumption is not correct, please advise me on how to proceed further.</div><div><br></div><div>Thanks,</div><div>Balaji</div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <<a href="mailto:tbbalaji@gmail.com">tbbalaji@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div dir="ltr"><div>Hi All,</div><div><br></div><div>Please ignore my previous question. </div><div><br></div><div>I was able to proceed further. Now I am able to get the IKE negotiation going successfully but when it attempts to install SA's to Linux kernel, it runs into an error. Here is the pluto logs.</div><div><br></div><div>May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2 parent SA<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE proposals for radius (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1: sent v2I1, expected v2R1<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING: connection radius PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH proposals for radius (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP1536}<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '10.196.175.174' <br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING: connection radius PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated using authby=secret <br><b><font color="#ff0000">May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink response for Add SA <a href="mailto:esp.ca3c4668@10.196.175.174" target="_blank">esp.ca3c4668@10.196.175.174</a> included errno 93: Protocol not supported<br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: setup_half_ipsec_sa() hit fail: </font></b><br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state (STATE_PARENT_I2) and NOT sending notification <br>May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink response for Del SA <a href="mailto:esp.ca3c4668@10.196.175.174" target="_blank">esp.ca3c4668@10.196.175.174</a> included errno 3: No such process</div><div><br></div><div>Am I missing anything and any idea on how to overcome this error?</div><div><br></div><div>Advance thanks.</div><div><br></div><div>Regards,</div><div>Balaji</div></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <<a href="mailto:tbbalaji@gmail.com" target="_blank">tbbalaji@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>I attempted to specify the IP address explicitly as a command line argument, but it still fails to bind for some reason. Am I running into some permission issue? </div><div><br></div><div>~ # ifconfig<br></div><div>wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10 <br> inet addr:10.196.172.114 Bcast:10.196.255.255 Mask:255.255.128.0<br> inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0<br> TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000 <br> RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB)<br> Memory:f7580000-f75fffff </div><div><br></div><div>~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork --stderrlog<br> --interface 10.196.172.114 --listen 10.196.172.114<br>May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114</div><div>Pluto initialized<br>May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d<br>May 26 19:21:26.049834: Initializing NSS<br>May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d" read-only<br>May 26 19:21:26.129870: NSS initialized<br>May 26 19:21:26.129884: NSS crypto library initialized<br>May 26 19:21:26.129889: FIPS HMAC integrity support [disabled]<br>May 26 19:21:26.129971: libcap-ng support [enabled]<br>May 26 19:21:26.129982: Linux audit support [disabled]<br>May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283<br>May 26 19:21:26.129994: core dump dir: /run/pluto<br>May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets<br>May 26 19:21:26.130003: leak-detective disabled<br>May 26 19:21:26.130008: NSS crypto [enabled]<br>May 26 19:21:26.130011: XAUTH PAM support [disabled]<br>May 26 19:21:26.130058: NAT-Traversal support [enabled]<br>May 26 19:21:26.130077: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)<br>May 26 19:21:26.130193: Encryption algorithms:<br>May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)<br>May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)<br>May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)<br>May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)<br>May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}<br>May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)<br>May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)<br>May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)<br>May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)<br>May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)<br>May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)<br>May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)<br>May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)<br>May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)<br>May 26 19:21:26.130267: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)<br>May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)<br>May 26 19:21:26.130275: NULL IKEv1: ESP IKEv2: ESP []<br>May 26 19:21:26.130281: Hash algorithms:<br>May 26 19:21:26.130285: MD5 IKEv1: IKE IKEv2: <br>May 26 19:21:26.130289: SHA1 IKEv1: IKE IKEv2: FIPS (sha)<br>May 26 19:21:26.130292: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)<br>May 26 19:21:26.130295: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)<br>May 26 19:21:26.130299: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)<br>May 26 19:21:26.130307: PRF algorithms:<br>May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)<br>May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)<br>May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)<br>May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)<br>May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)<br>May 26 19:21:26.130328: AES_XCBC IKEv1: IKEv2: IKE FIPS (aes128_xcbc)<br>May 26 19:21:26.130338: Integrity algorithms:<br>May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)<br>May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)<br>May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)<br>May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)<br>May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)<br>May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)<br>May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)<br>May 26 19:21:26.130370: NONE IKEv1: ESP IKEv2: ESP FIPS (null)<br>May 26 19:21:26.130379: DH algorithms:<br>May 26 19:21:26.130382: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)<br>May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)<br>May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)<br>May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)<br>May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)<br>May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)<br>May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)<br>May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)<br>May 26 19:21:26.130411: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)<br>May 26 19:21:26.130414: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)<br>May 26 19:21:26.130418: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)<br>May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<br>May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<br>May 26 19:21:26.132693: starting up 7 crypto helpers<br>May 26 19:21:26.132724: started thread for crypto helper 0<br>May 26 19:21:26.132740: started thread for crypto helper 1<br>May 26 19:21:26.132744: seccomp security for crypto helper not supported<br>May 26 19:21:26.132756: started thread for crypto helper 2<br>May 26 19:21:26.132762: seccomp security for crypto helper not supported<br>May 26 19:21:26.132794: started thread for crypto helper 3<br>May 26 19:21:26.132796: seccomp security for crypto helper not supported<br>May 26 19:21:26.132814: started thread for crypto helper 4<br>May 26 19:21:26.132758: seccomp security for crypto helper not supported<br>May 26 19:21:26.133265: started thread for crypto helper 5<br>May 26 19:21:26.133267: seccomp security for crypto helper not supported<br>May 26 19:21:26.133292: started thread for crypto helper 6<br>May 26 19:21:26.133296: seccomp security for crypto helper not supported<br>May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code on 4.14.35<br>May 26 19:21:26.132829: seccomp security for crypto helper not supported<br>May 26 19:21:26.266276: seccomp security not supported<br>May 26 19:21:26.267538: added connection description "radius"<br>May 26 19:21:26.267588: listening for IKE messages<br>May 26 19:21:26.267609: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address already in use<br>May 26 19:21:26.267619: "radius": deleting non-instance connection<br>connect(pluto_ctl) failed: No such file or directory<br>~ # <br><br></div><div>Thanks,</div><div>Balaji</div></div></div></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <<a href="mailto:tbbalaji@gmail.com" target="_blank">tbbalaji@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Thanks Paul.</div><div><br></div><div>Another question.</div><div><br></div><div>I have integrated Libreswan source code and its dependent binaries to my Linux based project. Please note that the Linux OS I have is not a full-blown OS but a stripped down version with limited features.</div><div><br></div><div>When I try to invoke pluto like this,</div><div><br></div><div>~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork --stderrlog<br>Pluto initialized<br>May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d<br>May 26 18:22:44.640085: Initializing NSS<br>May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" read-only<br>May 26 18:22:44.749626: NSS initialized<br>May 26 18:22:44.749643: NSS crypto library initialized<br>May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]<br>May 26 18:22:44.749770: libcap-ng support [enabled]<br>May 26 18:22:44.749778: Linux audit support [disabled]<br>May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445<br>May 26 18:22:44.749792: core dump dir: /run/pluto<br>May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets<br>May 26 18:22:44.749808: leak-detective disabled<br>May 26 18:22:44.749814: NSS crypto [enabled]<br>May 26 18:22:44.749819: XAUTH PAM support [disabled]<br>May 26 18:22:44.749926: NAT-Traversal support [enabled]<br>May 26 18:22:44.749958: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)<br>May 26 18:22:44.750135: Encryption algorithms:<br>May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)<br>May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)<br>May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)<br>May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)<br>May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}<br>May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)<br>May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)<br>May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)<br>May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)<br>May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)<br>May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)<br>May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)<br>May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)<br>May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)<br>May 26 18:22:44.750262: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)<br>May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)<br>May 26 18:22:44.750287: NULL IKEv1: ESP IKEv2: ESP []<br>May 26 18:22:44.750298: Hash algorithms:<br>May 26 18:22:44.750304: MD5 IKEv1: IKE IKEv2: <br>May 26 18:22:44.750311: SHA1 IKEv1: IKE IKEv2: FIPS (sha)<br>May 26 18:22:44.750325: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)<br>May 26 18:22:44.750333: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)<br>May 26 18:22:44.750340: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)<br>May 26 18:22:44.750354: PRF algorithms:<br>May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)<br>May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)<br>May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)<br>May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)<br>May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)<br>May 26 18:22:44.750396: AES_XCBC IKEv1: IKEv2: IKE FIPS (aes128_xcbc)<br>May 26 18:22:44.750411: Integrity algorithms:<br>May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)<br>May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)<br>May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)<br>May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)<br>May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)<br>May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)<br>May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)<br>May 26 18:22:44.750466: NONE IKEv1: ESP IKEv2: ESP FIPS (null)<br>May 26 18:22:44.750491: DH algorithms:<br>May 26 18:22:44.750499: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)<br>May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)<br>May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)<br>May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)<br>May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)<br>May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)<br>May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)<br>May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)<br>May 26 18:22:44.750559: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)<br>May 26 18:22:44.750566: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)<br>May 26 18:22:44.750574: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)<br>May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<br>May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS<br>May 26 18:22:44.755598: starting up 7 crypto helpers<br>May 26 18:22:44.755652: started thread for crypto helper 0<br>May 26 18:22:44.755655: seccomp security for crypto helper not supported<br>May 26 18:22:44.755689: started thread for crypto helper 1<br>May 26 18:22:44.755704: seccomp security for crypto helper not supported<br>May 26 18:22:44.755721: started thread for crypto helper 2<br>May 26 18:22:44.755723: seccomp security for crypto helper not supported<br>May 26 18:22:44.755761: seccomp security for crypto helper not supported<br>May 26 18:22:44.755761: started thread for crypto helper 3<br>May 26 18:22:44.755798: started thread for crypto helper 4<br>May 26 18:22:44.755799: seccomp security for crypto helper not supported<br>May 26 18:22:44.755836: seccomp security for crypto helper not supported<br>May 26 18:22:44.755836: started thread for crypto helper 5<br>May 26 18:22:44.755884: started thread for crypto helper 6<br>May 26 18:22:44.755885: seccomp security for crypto helper not supported<br>May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code on 4.14.35<br>May 26 18:22:44.927272: seccomp security not supported<br>May 26 18:22:44.929155: added connection description "radius"<br>May 26 18:22:44.929200: listening for IKE messages<br>May 26 18:22:44.929229: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 98: Address already in use<br>May 26 18:22:44.929240: "radius": deleting non-instance connection<br>connect(pluto_ctl) failed: No such file or directory<br>~ # <br><br></div><div>I have the following conf file at /etc/ipsec.d/radius.conf</div><div><br></div><div>conn radius<br> left=10.196.175.174<br> leftid=10.196.175.174<br> leftsubnet=<a href="http://10.196.175.174/32" target="_blank">10.196.175.174/32</a><br> right=10.196.172.114<br> rightid=10.196.172.114<br> rightsubnet=<a href="http://10.196.172.114/32" target="_blank">10.196.172.114/32</a><br> auto=start<br><br></div><div>10.196.172.114 is my local Linux interface and 10.196.175.174 is my peer IP address where I want to establish an IKE connection to.</div><div><br></div><div>~ # netstat -an | grep 500<br>udp 0 0 <a href="http://172.16.20.62:500" target="_blank">172.16.20.62:500</a> 0.0.0.0:* <br>udp 0 0 <a href="http://127.0.0.1:45006" target="_blank">127.0.0.1:45006</a> 0.0.0.0:* <br>udp 0 0 <a href="http://172.16.20.62:4500" target="_blank">172.16.20.62:4500</a> 0.0.0.0:* <br>unix 2 [ ] DGRAM 50035 <br><br></div><div>~ # netstat -an | grep 4500<br>udp 0 0 <a href="http://127.0.0.1:45006" target="_blank">127.0.0.1:45006</a> 0.0.0.0:* <br>udp 0 0 <a href="http://172.16.20.62:4500" target="_blank">172.16.20.62:4500</a> 0.0.0.0:* <br>~ # <br><br></div><div>I don't see any other application binding to this port from 10.196.172.114 address.</div><div><br></div><div>Any idea on what I am missing here? </div><div><br></div><div>Also a related question, if I plan to use VLAN on the network interface in future, where do I specify the vlan-id in the Libreswan configuration?</div><div><br></div><div>Thanks,</div><div>Balaji</div><div><br></div></div></div></div></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Sat, May 23, 2020 at 11:09 PM Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="auto">Normally, only the “ipsec” command is in a system sbin directory. All sub commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec directory. Those starting with an underscore are deemed “internal only” and should not be called by humans.<br><br><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On May 23, 2020, at 21:29, Balaji Thoguluva <<a href="mailto:tbbalaji@gmail.com" target="_blank">tbbalaji@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div>Please ignore my question in my previous email. I found that it is in /usr/local/sbin.</div><div><br></div><div>Thanks,</div><div>Balaji</div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <<a href="mailto:tbbalaji@gmail.com" target="_blank">tbbalaji@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div dir="ltr"><div>Hi Paul,</div><div><br></div><div>Thanks for the continued support.</div><div><br></div><div>I have integrated Libreswan source code with my Linux-based project and integrated binaries of the Libreswan's dependencies and I am able to build the project. </div><div><br></div><div>Can I access the ipsec executable in the built Linux project? If so, where does the ipsec executable typically reside? I could not find it under /usr/sbin, /usr/libexec/ipsec.</div><div><br></div><div>Any suggestions.</div><div><br></div><div>Thanks,</div><div>Balaji </div></div></div><br><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Mon, May 18, 2020 at 3:05 PM Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">On Mon, 18 May 2020, Balaji Thoguluva wrote:<br>
<br>
> I have some general security-policies that just allow the traffic to pass through the system (i.e., no IPsec is applied to those traffic). Say for example, allow all traffic<br>
> of of certain source and destination IP and source and destination port as 5060 (SIP traffic) not processed by IPsec. <br>
> <br>
> In that case, how do I convey this security-policy behavior to Libreswan via the script? What parameters need to be configured? Should I create a separate connection section?<br>
<br>
I would still recommend you do not do this. Double encryption isn't the<br>
worst these days. Excluding will allow people to see things even if not<br>
encrypted. For example, TLS still leaks SNI in cleartext.<br>
<br>
That said, you can simply create the exceptions by doing:<br>
<br>
Individual conn solutions:<br>
<br>
conn skip-tls-out<br>
left=%defaultroute<br>
right=0.0.0.0<br>
leftprotoport=tcp/0<br>
rightprotoport=tcp/443<br>
authby=never<br>
auto=route<br>
<br>
You would do something similar but flipped for incoming TLS. If there is<br>
a mismatch of these between hosts, all communication will fail because<br>
whoever does not have the "cleartext hole" will drop the received clear<br>
text traffic.<br>
<br>
Mesh solution:<br>
<br>
When using mesh encryption (Oportunistic IPsec), you can also specify<br>
the nodes for specific "clear" using protocols and ports. In general,<br>
longest prefix first wins with these type of rule matchines<br>
<br>
# /etc/ipsec.d/policies/private<br>
<a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a><br>
<br>
# /etc/ipsec.d/policies/clear<br>
<a href="http://10.0.0.0/24" target="_blank" rel="noreferrer">10.0.0.0/24</a> tcp 0 443<br>
<a href="http://1.0.0.0/0" target="_blank" rel="noreferrer">1.0.0.0/0</a> tcp 443 0<br>
<br>
<br>
Paul<br>
</blockquote></div>
</blockquote></div>
</div></blockquote></div></blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</div></blockquote></div></body></html>