Thanks Paul for the information. On Mon, May 11, 2020 at 1:29 PM Paul Wouters <[email protected]> wrote:
> On Mon, 11 May 2020, Balaji Thoguluva wrote: > > > I am a newbie to Libreswan. I am working on a Linux based application > project where we need IKEv2 and IPsec stack to support sending traffic over > IKEv2/IPsec established tunnel. > > > > Do you have some guidelines or detailed steps on how to > > 1. Initialize and integrate the Libreswan stack with the application > (user-space of Linux) > > What do you mean with "libreswan stack"? > > There are two ways to initiate tunnels. One is packet triggered, and one > is command triggered. The packet trigger works if your conncetion has > been loaded using the auto=start keyword in the connection configuration > file (the "conn" section). To bring defined connections in connection > files up using a command, you can use the "ipsec auto --up" and "ipsec > auto --down" commands. A more low level command is "ipsec whack", which > is basically an (undocumented internal only) API using a socket in > /run/pluto/pluto.ctl with the message format defined in whack.h > > > 2. any documents on Libreswan API's and how to trigger IKEv2 negotiation > from the application via Libreswan, how to install SA's and SPD's via > Libreswan to Linux etc. > > If you can do it packet triggered, that is the best way. It requires no > modification of your application. If you want to specifically trigger > it, and the connections are fairly static with respect to configuration, > use the ipsec auto command. If you are looking at large scale mesh > dpeloyment, look at "opportunistic IPsec". > > You should not need to install IPsec SA's or IPsec SPD's in the kernel > manually. All of that is handled by libreswan's IKE daemon pluto. > > See further: > > https://libreswan.org/wiki/Configuration_examples > > https://libreswan.org/man/ > > You need to decide what to use for authentication, PSK or raw public > keys or certificates. Depending on that choice, you might need to > look into the integration of libreswan with NSS for certificate > handling: https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan > > Opportunistic IPsec for enterprise mesh: > https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec > > To integrate tunnel status in your application, you can use "ipsec > trafficstatus" > > Paul >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
