[Swan] libreswan on amazon web services to remote libreswan installation
Paul Wouters
paul at nohats.ca
Thu Mar 5 21:25:13 EET 2015
On Thu, 5 Mar 2015, Aaron wrote:
> Thanks a lot Paul. A few more questions.
> 1) Do I also need leftcert=leftnickname and rightcert=rightnickname ?
When using certificates you need something yes. Usually you install the
CA cert and client cert/key using a PKCS#12 file on each node. You
can use "ipsec import file.p12" for that.
> 2) Also in the ipsec.secrets file is a password needed at the : RSA nickname "?password?" My NSS database has a password but I haven't added a
> password to my left and right certs explicitly.
The importing deals with the password. Then it is in the NSS store and
does not need a password itself. So just add :RSA "nickname" without
specifying a password. In libreswan-3.13 or 3.14 you will be able
to amit the entire entry in ipsec.secrets.
> 3) On the right side after running ipsec verify I receive this info where many more options appear to be enabled which seems odd.
>
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/dummy0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/gre0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/gretap0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip6_vti0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip6gre0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/sit0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/teql0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/tunl0/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
That is best disabled in /etc/sysctl.conf
> 4) In addition in the interoperability instructions it mentions adding this info to the loopback interface if running under EC2. Do you find it
> necessary?
>
> /etc/sysconfig/network-scripts/ifcfg-lo:elastic:
>
> DEVICE=lo:elastic
> # use your elastic ip here
> IPADDR=a.b.c.d
> NETMASK=255.255.255.255
> ONBOOT=yes
> NAME=elasticIP
It is neccessary if you need to build packets with that source ip to
enter the tunnel. If you tunnel is for leftsubnet=10.1.2.0/24 you
don't need it, but if you tunnel has leftsubnet=a.b.c.d/32 you need it.
Paul
More information about the Swan
mailing list