On Mon, 18 May 2020, Balaji Thoguluva wrote:
I have some general security-policies that just allow the traffic to pass
through the system (i.e., no IPsec is applied to those traffic). Say for
example, allow all traffic
of of certain source and destination IP and source and destination port as 5060
(SIP traffic) not processed by IPsec.
In that case, how do I convey this security-policy behavior to Libreswan via
the script? What parameters need to be configured? Should I create a separate
connection section?
I would still recommend you do not do this. Double encryption isn't the
worst these days. Excluding will allow people to see things even if not
encrypted. For example, TLS still leaks SNI in cleartext.
That said, you can simply create the exceptions by doing:
Individual conn solutions:
conn skip-tls-out
left=%defaultroute
right=0.0.0.0
leftprotoport=tcp/0
rightprotoport=tcp/443
authby=never
auto=route
You would do something similar but flipped for incoming TLS. If there is
a mismatch of these between hosts, all communication will fail because
whoever does not have the "cleartext hole" will drop the received clear
text traffic.
Mesh solution:
When using mesh encryption (Oportunistic IPsec), you can also specify
the nodes for specific "clear" using protocols and ports. In general,
longest prefix first wins with these type of rule matchines
# /etc/ipsec.d/policies/private
10.0.0.0/8
# /etc/ipsec.d/policies/clear
10.0.0.0/24 tcp 0 443
1.0.0.0/0 tcp 443 0
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
