[Swan] libreswan on amazon web services to remote libreswan installation

[Paul Wouters]

On Thu, 5 Mar 2015, Aaron wrote:

> Thanks a lot Paul. A few more questions.
> 1) Do I also need leftcert=leftnickname and rightcert=rightnickname ?

When using certificates you need something yes. Usually you install the
CA cert and client cert/key using a PKCS#12 file on each node. You
can use "ipsec import file.p12" for that.

> 2) Also in the ipsec.secrets file is a password needed at the : RSA nickname "?password?"  My NSS database has a password but I haven't added a
> password to my left and right certs explicitly.

The importing deals with the password. Then it is in the NSS store and
does not need a password itself. So just add :RSA "nickname" without
specifying a password. In libreswan-3.13 or 3.14 you will be able
to amit the entire entry in ipsec.secrets.

> 3) On the right side after running ipsec verify I receive this info where many more options appear to be enabled which seems odd.
> 
> XFRM larval drop                         [OK]
> Pluto ipsec.conf syntax                           [OK]
> Hardware random device                             [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter                                 [ENABLED]
>  /proc/sys/net/ipv4/conf/default/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/dummy0/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/gre0/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/gretap0/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/ip6_vti0/rp_filter       [ENABLED]
>  /proc/sys/net/ipv4/conf/ip6gre0/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter         [ENABLED]
>  /proc/sys/net/ipv4/conf/sit0/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/teql0/rp_filter           [ENABLED]
>  /proc/sys/net/ipv4/conf/tunl0/rp_filter           [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled

That is best disabled in /etc/sysctl.conf

> 4) In addition in the interoperability instructions it mentions adding this info to the loopback interface if running under EC2.  Do you find it
> necessary?
> 
> /etc/sysconfig/network-scripts/ifcfg-lo:elastic:
> 
> DEVICE=lo:elastic
> # use your elastic ip here
> IPADDR=a.b.c.d
> NETMASK=255.255.255.255
> ONBOOT=yes
> NAME=elasticIP

It is neccessary if you need to build packets with that source ip to
enter the tunnel. If you tunnel is for leftsubnet=10.1.2.0/24 you
don't need it, but if you tunnel has leftsubnet=a.b.c.d/32 you need it.

Paul