[Swan] Building tunnel specifically for DNS

Alex mysqlstudent at gmail.com
Tue Oct 2 02:17:05 UTC 2018 

Hi,

On Fri, Sep 21, 2018 at 8:58 AM Tuomo Soini <tis at foobar.fi> wrote:
>
> On Thu, 20 Sep 2018 16:13:46 -0400 (EDT)
> Paul Wouters <paul at nohats.ca> wrote:
>
> > On Thu, 20 Sep 2018, Alex wrote:
> >
> > > I'm interested in building a tunnel between two Linux boxes
> > > specifically to send DNS requests.
>
> > Yes it is possible. The easiest would be to just do a host-to-host
> > tunnel that covers everything included DNS, eg:
> >
> > https://libreswan.org/wiki/Host_to_host_VPN
> >
> > If you really want to limit it to DNS, then you need to that
> > that connection and copy it so you have two (using two different
> > names, eg dns-tcp and dns-ucp) and then add
> >
> >       # assumes left is the DNS client, right the DNS server
> >       leftprotoport=udp/%any
> >       rightprotoport=udp/53
>
> Note, this example is not enough, you also need another tunnel for
> tcp/53 traffic. So Paul's initial suggestion to tunnel everything
> host-host is quite much simpler.

I got it to work for one host-to-host tunnel using the URL above
between the remote system (arcade) and one local system (mail03), but
having a problem adding a second host (orion). arcade is the right
side in both configs.

I'm attempting to do this:

[arcade] --------------------- [orion]
            \
             \
              [mail03]

orion also has a net-to-net VPN with a different set of systems using
certs. It's been some time since we set it up and I've forgotten
exactly how we did it, but it involved certutil, not just ipsec to
generate keys.

Is there something different that has to be done when adding a second
host? Perhaps it's getting confused as to which key to be using?

     "oriontun" #5: ignoring informational payload
INVALID_KEY_INFORMATION, msgid=00000000, length=12
     "oriontun" #5: received and ignored informational message

     "oriontun" #84: Signature check (on @orion) failed (wrong key?);
tried *AwEAAds52
     "oriontun" #84: sending encrypted notification
INVALID_KEY_INFORMATION to 68.195.193.42:500

How do I list all the certs in the NSS database? On orion, where I
used certs to build a net-to-net VPN, I can use "certutil -K -d
/etc/ipsec.d", but on arcade, where I just followed the doc above, it
fails with SEC_ERROR_LEGACY_DATABASE. Both systems are fedora28.

How do I list all the keys that were created using ipsec?

Is it important for the leftid and rightid to be unique throughout
/etc/ipsec.conf?

Can you provide the steps to do this using certs?

Also, it's necessary to add --ckaid to the ipsec showhostkey command
that is not made clear in the wiki doc.

More information about the Swan mailing list