Hi Paul, Thanks for the continued support.
I have integrated Libreswan source code with my Linux-based project and integrated binaries of the Libreswan's dependencies and I am able to build the project. Can I access the ipsec executable in the built Linux project? If so, where does the ipsec executable typically reside? I could not find it under /usr/sbin, /usr/libexec/ipsec. Any suggestions. Thanks, Balaji On Mon, May 18, 2020 at 3:05 PM Paul Wouters <[email protected]> wrote: > On Mon, 18 May 2020, Balaji Thoguluva wrote: > > > I have some general security-policies that just allow the traffic to > pass through the system (i.e., no IPsec is applied to those traffic). Say > for example, allow all traffic > > of of certain source and destination IP and source and destination port > as 5060 (SIP traffic) not processed by IPsec. > > > > In that case, how do I convey this security-policy behavior to Libreswan > via the script? What parameters need to be configured? Should I create a > separate connection section? > > I would still recommend you do not do this. Double encryption isn't the > worst these days. Excluding will allow people to see things even if not > encrypted. For example, TLS still leaks SNI in cleartext. > > That said, you can simply create the exceptions by doing: > > Individual conn solutions: > > conn skip-tls-out > left=%defaultroute > right=0.0.0.0 > leftprotoport=tcp/0 > rightprotoport=tcp/443 > authby=never > auto=route > > You would do something similar but flipped for incoming TLS. If there is > a mismatch of these between hosts, all communication will fail because > whoever does not have the "cleartext hole" will drop the received clear > text traffic. > > Mesh solution: > > When using mesh encryption (Oportunistic IPsec), you can also specify > the nodes for specific "clear" using protocols and ports. In general, > longest prefix first wins with these type of rule matchines > > # /etc/ipsec.d/policies/private > 10.0.0.0/8 > > # /etc/ipsec.d/policies/clear > 10.0.0.0/24 tcp 0 443 > 1.0.0.0/0 tcp 443 0 > > > Paul >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
