[Swan] LibreSwan - Transport Mode, Secure Only by Multiple IP Addresses

Matt Dennison Matt.Dennison at tribalgroup.com
Mon Dec 18 15:33:33 UTC 2017 

Hi Paul

Thanks for this.  I have it working 😊

Regards

Matt
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: 14 December 2017 19:53
To: Matt Dennison <Matt.Dennison at tribalgroup.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] LibreSwan - Transport Mode, Secure Only by Multiple IP Addresses

On Thu, 14 Dec 2017, Matt Dennison wrote:

> I am attempting to secure traffic between a LibreSwan host and 
> multiple dynamic Windows hosts.  If I specify a single right host as 
> shown in the configuration below it works as expected, in that 
> security is required.  However, if I change to a IP range or %any, security is now only optional.  I need to change this behaviour so security is required.  I have not been able to figure out how to enforce this change in behaviour, can anyone help?

When using right=%any, you cannot use auto=start, because you do not know where "any" is. So the other endpoints need to initiate to you.

If you want to avoid leaking unencrypted packets before those endpoints initiate you, you can either an iptables or an ipsec based block rule.

Using iptables:

iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir out --pol ipsec -j ACCEPT iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir out --pol none -j DROP

To do the same within ipsec, you could do:

conn block-plain
 	left=192.168.10.130
 	right=%any
 	rightsubnet=192.168.10.127/30
 	type=drop
 	authby=never
 	auto=route
 	# low priority so tunnels win when up
 	priority=6000

Paul

> conn main
> type=transport
> authby=secret
> left=192.168.10.130
> right=192.168.10.128
> # right=192.168.10.127-192.168.10.129
> # right=%any
> pfs=yes
> ike=3des-sha1;modp1024
> phase2=esp
> auto=start
> 
>  
> 
> Thanks
> 
>  
> 
> Matt
Information contained in this e-mail is intended for the use of the addressee only, is confidential and may be the subject of Legal Professional Privilege. Any dissemination, distribution, copying or use of this communication without our prior permission or that of the addressee is strictly prohibited.
The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While Tribal has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171218/6a623f02/attachment.html>

More information about the Swan mailing list