Normally, only the “ipsec” command is in a system sbin directory. All sub commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec directory. Those starting with an underscore are deemed “internal only” and should not be called by humans.
Sent from my iPhone > On May 23, 2020, at 21:29, Balaji Thoguluva <[email protected]> wrote: > > > Please ignore my question in my previous email. I found that it is in > /usr/local/sbin. > > Thanks, > Balaji > >> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <[email protected]> wrote: >> Hi Paul, >> >> Thanks for the continued support. >> >> I have integrated Libreswan source code with my Linux-based project and >> integrated binaries of the Libreswan's dependencies and I am able to build >> the project. >> >> Can I access the ipsec executable in the built Linux project? If so, where >> does the ipsec executable typically reside? I could not find it under >> /usr/sbin, /usr/libexec/ipsec. >> >> Any suggestions. >> >> Thanks, >> Balaji >> >>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <[email protected]> wrote: >>> On Mon, 18 May 2020, Balaji Thoguluva wrote: >>> >>> > I have some general security-policies that just allow the traffic to pass >>> > through the system (i.e., no IPsec is applied to those traffic). Say for >>> > example, allow all traffic >>> > of of certain source and destination IP and source and destination port >>> > as 5060 (SIP traffic) not processed by IPsec. >>> > >>> > In that case, how do I convey this security-policy behavior to Libreswan >>> > via the script? What parameters need to be configured? Should I create a >>> > separate connection section? >>> >>> I would still recommend you do not do this. Double encryption isn't the >>> worst these days. Excluding will allow people to see things even if not >>> encrypted. For example, TLS still leaks SNI in cleartext. >>> >>> That said, you can simply create the exceptions by doing: >>> >>> Individual conn solutions: >>> >>> conn skip-tls-out >>> left=%defaultroute >>> right=0.0.0.0 >>> leftprotoport=tcp/0 >>> rightprotoport=tcp/443 >>> authby=never >>> auto=route >>> >>> You would do something similar but flipped for incoming TLS. If there is >>> a mismatch of these between hosts, all communication will fail because >>> whoever does not have the "cleartext hole" will drop the received clear >>> text traffic. >>> >>> Mesh solution: >>> >>> When using mesh encryption (Oportunistic IPsec), you can also specify >>> the nodes for specific "clear" using protocols and ports. In general, >>> longest prefix first wins with these type of rule matchines >>> >>> # /etc/ipsec.d/policies/private >>> 10.0.0.0/8 >>> >>> # /etc/ipsec.d/policies/clear >>> 10.0.0.0/24 tcp 0 443 >>> 1.0.0.0/0 tcp 443 0 >>> >>> >>> Paul
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
