Most of XFRM and ESP Paul
Sent from my iPhone > On May 30, 2020, at 21:23, Balaji Thoguluva <[email protected]> wrote: > > > Hi Paul et al., > > If I assume the above error is because the required kernel modules required > by Libreswan are not included or built with the Linux kernel, can anybody > refer me to the list of kernel modules that needs to be included required by > the Libreswan that would avoid this error? > > If my assumption is not correct, please advise me on how to proceed further. > > Thanks, > Balaji > >> On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <[email protected]> wrote: >> Hi All, >> >> Please ignore my previous question. >> >> I was able to proceed further. Now I am able to get the IKE negotiation >> going successfully but when it attempts to install SA's to Linux kernel, it >> runs into an error. Here is the pluto logs. >> >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2 parent SA >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE proposals >> for radius (IKE SA initiator selecting KE): >> 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1: sent >> v2I1, expected v2R1 >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING: connection >> radius PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 >> bytes required) >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH proposals >> for radius (IKE SA initiator emitting ESP/AH proposals): >> 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2: sent >> v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 >> group=MODP1536} >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer ID is >> ID_IPV4_ADDR: '10.196.175.174' >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING: connection >> radius PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 >> bytes required) >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated using >> authby=secret >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink >> response for Add SA [email protected] included errno 93: Protocol >> not supported >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: setup_half_ipsec_sa() >> hit fail: >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state >> (STATE_PARENT_I2) and NOT sending notification >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink >> response for Del SA [email protected] included errno 3: No such >> process >> >> Am I missing anything and any idea on how to overcome this error? >> >> Advance thanks. >> >> Regards, >> Balaji >> >>> On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <[email protected]> wrote: >>> I attempted to specify the IP address explicitly as a command line >>> argument, but it still fails to bind for some reason. Am I running into >>> some permission issue? >>> >>> ~ # ifconfig >>> wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10 >>> inet addr:10.196.172.114 Bcast:10.196.255.255 Mask:255.255.128.0 >>> inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>> RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0 >>> TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0 >>> collisions:0 txqueuelen:1000 >>> RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB) >>> Memory:f7580000-f75fffff >>> >>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork >>> --stderrlog >>> --interface 10.196.172.114 --listen 10.196.172.114 >>> May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114 >>> Pluto initialized >>> May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d >>> May 26 19:21:26.049834: Initializing NSS >>> May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d" read-only >>> May 26 19:21:26.129870: NSS initialized >>> May 26 19:21:26.129884: NSS crypto library initialized >>> May 26 19:21:26.129889: FIPS HMAC integrity support [disabled] >>> May 26 19:21:26.129971: libcap-ng support [enabled] >>> May 26 19:21:26.129982: Linux audit support [disabled] >>> May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) >>> FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283 >>> May 26 19:21:26.129994: core dump dir: /run/pluto >>> May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets >>> May 26 19:21:26.130003: leak-detective disabled >>> May 26 19:21:26.130008: NSS crypto [enabled] >>> May 26 19:21:26.130011: XAUTH PAM support [disabled] >>> May 26 19:21:26.130058: NAT-Traversal support [enabled] >>> May 26 19:21:26.130077: Initializing libevent in pthreads mode: headers: >>> 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) >>> May 26 19:21:26.130193: Encryption algorithms: >>> May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP IKEv2: >>> ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) >>> May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP IKEv2: >>> ESP FIPS {256,192,*128} (aes_ccm_b) >>> May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP IKEv2: >>> ESP FIPS {256,192,*128} (aes_ccm_a) >>> May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE >>> ESP FIPS [*192] (3des) >>> May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP IKEv2: >>> ESP {256,192,*128} >>> May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE >>> ESP {256,192,*128} (camellia) >>> May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP IKEv2: IKE >>> ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) >>> May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP IKEv2: IKE >>> ESP FIPS {256,192,*128} (aes_gcm_b) >>> May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP IKEv2: IKE >>> ESP FIPS {256,192,*128} (aes_gcm_a) >>> May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP IKEv2: IKE >>> ESP FIPS {256,192,*128} (aesctr) >>> May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP IKEv2: IKE >>> ESP FIPS {256,192,*128} (aes) >>> May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE >>> ESP {256,192,*128} (serpent) >>> May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE >>> ESP {256,192,*128} (twofish) >>> May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE IKEv2: IKE >>> ESP {256,192,*128} (twofish_cbc_ssh) >>> May 26 19:21:26.130267: CAST_CBC IKEv1: ESP IKEv2: >>> ESP {*128} (cast) >>> May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: >>> ESP {256,192,*128} (aes_gmac) >>> May 26 19:21:26.130275: NULL IKEv1: ESP IKEv2: >>> ESP [] >>> May 26 19:21:26.130281: Hash algorithms: >>> May 26 19:21:26.130285: MD5 IKEv1: IKE IKEv2: >>> >>> May 26 19:21:26.130289: SHA1 IKEv1: IKE IKEv2: >>> FIPS (sha) >>> May 26 19:21:26.130292: SHA2_256 IKEv1: IKE IKEv2: >>> FIPS (sha2 sha256) >>> May 26 19:21:26.130295: SHA2_384 IKEv1: IKE IKEv2: >>> FIPS (sha384) >>> May 26 19:21:26.130299: SHA2_512 IKEv1: IKE IKEv2: >>> FIPS (sha512) >>> May 26 19:21:26.130307: PRF algorithms: >>> May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE IKEv2: IKE >>> (md5) >>> May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE IKEv2: IKE >>> FIPS (sha sha1) >>> May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE >>> FIPS (sha2 sha256 sha2_256) >>> May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE >>> FIPS (sha384 sha2_384) >>> May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE >>> FIPS (sha512 sha2_512) >>> May 26 19:21:26.130328: AES_XCBC IKEv1: IKEv2: IKE >>> FIPS (aes128_xcbc) >>> May 26 19:21:26.130338: Integrity algorithms: >>> May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH (md5 hmac_md5) >>> May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) >>> May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) >>> May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) >>> May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) >>> May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE >>> ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96) >>> May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH IKEv2: >>> ESP AH FIPS (aes_cmac) >>> May 26 19:21:26.130370: NONE IKEv1: ESP IKEv2: >>> ESP FIPS (null) >>> May 26 19:21:26.130379: DH algorithms: >>> May 26 19:21:26.130382: NONE IKEv1: IKEv2: IKE >>> ESP AH (null dh0) >>> May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH (dh2) >>> May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH (dh5) >>> May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (dh14) >>> May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (dh15) >>> May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (dh16) >>> May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (dh17) >>> May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS (dh18) >>> May 26 19:21:26.130411: DH19 IKEv1: IKE IKEv2: IKE >>> ESP AH FIPS (ecp_256) >>> May 26 19:21:26.130414: DH20 IKEv1: IKE IKEv2: IKE >>> ESP AH FIPS (ecp_384) >>> May 26 19:21:26.130418: DH21 IKEv1: IKE IKEv2: IKE >>> ESP AH FIPS (ecp_521) >>> May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS >>> May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH IKEv2: IKE >>> ESP AH FIPS >>> May 26 19:21:26.132693: starting up 7 crypto helpers >>> May 26 19:21:26.132724: started thread for crypto helper 0 >>> May 26 19:21:26.132740: started thread for crypto helper 1 >>> May 26 19:21:26.132744: seccomp security for crypto helper not supported >>> May 26 19:21:26.132756: started thread for crypto helper 2 >>> May 26 19:21:26.132762: seccomp security for crypto helper not supported >>> May 26 19:21:26.132794: started thread for crypto helper 3 >>> May 26 19:21:26.132796: seccomp security for crypto helper not supported >>> May 26 19:21:26.132814: started thread for crypto helper 4 >>> May 26 19:21:26.132758: seccomp security for crypto helper not supported >>> May 26 19:21:26.133265: started thread for crypto helper 5 >>> May 26 19:21:26.133267: seccomp security for crypto helper not supported >>> May 26 19:21:26.133292: started thread for crypto helper 6 >>> May 26 19:21:26.133296: seccomp security for crypto helper not supported >>> May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code on >>> 4.14.35 >>> May 26 19:21:26.132829: seccomp security for crypto helper not supported >>> May 26 19:21:26.266276: seccomp security not supported >>> May 26 19:21:26.267538: added connection description "radius" >>> May 26 19:21:26.267588: listening for IKE messages >>> May 26 19:21:26.267609: FATAL ERROR: bind() failed in find_raw_ifaces4(). >>> Errno 98: Address already in use >>> May 26 19:21:26.267619: "radius": deleting non-instance connection >>> connect(pluto_ctl) failed: No such file or directory >>> ~ # >>> >>> Thanks, >>> Balaji >>> >>>> On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <[email protected]> >>>> wrote: >>>> Thanks Paul. >>>> >>>> Another question. >>>> >>>> I have integrated Libreswan source code and its dependent binaries to my >>>> Linux based project. Please note that the Linux OS I have is not a >>>> full-blown OS but a stripped down version with limited features. >>>> >>>> When I try to invoke pluto like this, >>>> >>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork >>>> --stderrlog >>>> Pluto initialized >>>> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d >>>> May 26 18:22:44.640085: Initializing NSS >>>> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" read-only >>>> May 26 18:22:44.749626: NSS initialized >>>> May 26 18:22:44.749643: NSS crypto library initialized >>>> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled] >>>> May 26 18:22:44.749770: libcap-ng support [enabled] >>>> May 26 18:22:44.749778: Linux audit support [disabled] >>>> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25 >>>> XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445 >>>> May 26 18:22:44.749792: core dump dir: /run/pluto >>>> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets >>>> May 26 18:22:44.749808: leak-detective disabled >>>> May 26 18:22:44.749814: NSS crypto [enabled] >>>> May 26 18:22:44.749819: XAUTH PAM support [disabled] >>>> May 26 18:22:44.749926: NAT-Traversal support [enabled] >>>> May 26 18:22:44.749958: Initializing libevent in pthreads mode: headers: >>>> 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) >>>> May 26 18:22:44.750135: Encryption algorithms: >>>> May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP IKEv2: >>>> ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) >>>> May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP IKEv2: >>>> ESP FIPS {256,192,*128} (aes_ccm_b) >>>> May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP IKEv2: >>>> ESP FIPS {256,192,*128} (aes_ccm_a) >>>> May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP IKEv2: >>>> IKE ESP FIPS [*192] (3des) >>>> May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP IKEv2: >>>> ESP {256,192,*128} >>>> May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: >>>> IKE ESP {256,192,*128} (camellia) >>>> May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP IKEv2: >>>> IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) >>>> May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP IKEv2: >>>> IKE ESP FIPS {256,192,*128} (aes_gcm_b) >>>> May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP IKEv2: >>>> IKE ESP FIPS {256,192,*128} (aes_gcm_a) >>>> May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP IKEv2: >>>> IKE ESP FIPS {256,192,*128} (aesctr) >>>> May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP IKEv2: >>>> IKE ESP FIPS {256,192,*128} (aes) >>>> May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP IKEv2: >>>> IKE ESP {256,192,*128} (serpent) >>>> May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP IKEv2: >>>> IKE ESP {256,192,*128} (twofish) >>>> May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE IKEv2: >>>> IKE ESP {256,192,*128} (twofish_cbc_ssh) >>>> May 26 18:22:44.750262: CAST_CBC IKEv1: ESP IKEv2: >>>> ESP {*128} (cast) >>>> May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: >>>> ESP {256,192,*128} (aes_gmac) >>>> May 26 18:22:44.750287: NULL IKEv1: ESP IKEv2: >>>> ESP [] >>>> May 26 18:22:44.750298: Hash algorithms: >>>> May 26 18:22:44.750304: MD5 IKEv1: IKE IKEv2: >>>> >>>> May 26 18:22:44.750311: SHA1 IKEv1: IKE IKEv2: >>>> FIPS (sha) >>>> May 26 18:22:44.750325: SHA2_256 IKEv1: IKE IKEv2: >>>> FIPS (sha2 sha256) >>>> May 26 18:22:44.750333: SHA2_384 IKEv1: IKE IKEv2: >>>> FIPS (sha384) >>>> May 26 18:22:44.750340: SHA2_512 IKEv1: IKE IKEv2: >>>> FIPS (sha512) >>>> May 26 18:22:44.750354: PRF algorithms: >>>> May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE IKEv2: >>>> IKE (md5) >>>> May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE IKEv2: >>>> IKE FIPS (sha sha1) >>>> May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE IKEv2: >>>> IKE FIPS (sha2 sha256 sha2_256) >>>> May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE IKEv2: >>>> IKE FIPS (sha384 sha2_384) >>>> May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE IKEv2: >>>> IKE FIPS (sha512 sha2_512) >>>> May 26 18:22:44.750396: AES_XCBC IKEv1: IKEv2: >>>> IKE FIPS (aes128_xcbc) >>>> May 26 18:22:44.750411: Integrity algorithms: >>>> May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH (md5 hmac_md5) >>>> May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) >>>> May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) >>>> May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) >>>> May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) >>>> May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH IKEv2: >>>> IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96) >>>> May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH IKEv2: >>>> ESP AH FIPS (aes_cmac) >>>> May 26 18:22:44.750466: NONE IKEv1: ESP IKEv2: >>>> ESP FIPS (null) >>>> May 26 18:22:44.750491: DH algorithms: >>>> May 26 18:22:44.750499: NONE IKEv1: IKEv2: >>>> IKE ESP AH (null dh0) >>>> May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH (dh2) >>>> May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH (dh5) >>>> May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (dh14) >>>> May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (dh15) >>>> May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (dh16) >>>> May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (dh17) >>>> May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS (dh18) >>>> May 26 18:22:44.750559: DH19 IKEv1: IKE IKEv2: >>>> IKE ESP AH FIPS (ecp_256) >>>> May 26 18:22:44.750566: DH20 IKEv1: IKE IKEv2: >>>> IKE ESP AH FIPS (ecp_384) >>>> May 26 18:22:44.750574: DH21 IKEv1: IKE IKEv2: >>>> IKE ESP AH FIPS (ecp_521) >>>> May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS >>>> May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH IKEv2: >>>> IKE ESP AH FIPS >>>> May 26 18:22:44.755598: starting up 7 crypto helpers >>>> May 26 18:22:44.755652: started thread for crypto helper 0 >>>> May 26 18:22:44.755655: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755689: started thread for crypto helper 1 >>>> May 26 18:22:44.755704: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755721: started thread for crypto helper 2 >>>> May 26 18:22:44.755723: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755761: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755761: started thread for crypto helper 3 >>>> May 26 18:22:44.755798: started thread for crypto helper 4 >>>> May 26 18:22:44.755799: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755836: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755836: started thread for crypto helper 5 >>>> May 26 18:22:44.755884: started thread for crypto helper 6 >>>> May 26 18:22:44.755885: seccomp security for crypto helper not supported >>>> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code on >>>> 4.14.35 >>>> May 26 18:22:44.927272: seccomp security not supported >>>> May 26 18:22:44.929155: added connection description "radius" >>>> May 26 18:22:44.929200: listening for IKE messages >>>> May 26 18:22:44.929229: FATAL ERROR: bind() failed in find_raw_ifaces4(). >>>> Errno 98: Address already in use >>>> May 26 18:22:44.929240: "radius": deleting non-instance connection >>>> connect(pluto_ctl) failed: No such file or directory >>>> ~ # >>>> >>>> I have the following conf file at /etc/ipsec.d/radius.conf >>>> >>>> conn radius >>>> left=10.196.175.174 >>>> leftid=10.196.175.174 >>>> leftsubnet=10.196.175.174/32 >>>> right=10.196.172.114 >>>> rightid=10.196.172.114 >>>> rightsubnet=10.196.172.114/32 >>>> auto=start >>>> >>>> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my peer >>>> IP address where I want to establish an IKE connection to. >>>> >>>> ~ # netstat -an | grep 500 >>>> udp 0 0 172.16.20.62:500 0.0.0.0:* >>>> >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:* >>>> >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:* >>>> >>>> unix 2 [ ] DGRAM 50035 >>>> >>>> ~ # netstat -an | grep 4500 >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:* >>>> >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:* >>>> >>>> ~ # >>>> >>>> I don't see any other application binding to this port from 10.196.172.114 >>>> address. >>>> >>>> Any idea on what I am missing here? >>>> >>>> Also a related question, if I plan to use VLAN on the network interface in >>>> future, where do I specify the vlan-id in the Libreswan configuration? >>>> >>>> Thanks, >>>> Balaji >>>> >>>> >>>>> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <[email protected]> wrote: >>>>> Normally, only the “ipsec” command is in a system sbin directory. All sub >>>>> commands, like “ipsec pluto” or “ipsec auto” are in the libexec/ipsec >>>>> directory. Those starting with an underscore are deemed “internal only” >>>>> and should not be called by humans. >>>>> >>>>> Sent from my iPhone >>>>> >>>>>>> On May 23, 2020, at 21:29, Balaji Thoguluva <[email protected]> wrote: >>>>>>> >>>>>> >>>>>> Please ignore my question in my previous email. I found that it is in >>>>>> /usr/local/sbin. >>>>>> >>>>>> Thanks, >>>>>> Balaji >>>>>> >>>>>>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva <[email protected]> >>>>>>> wrote: >>>>>>> Hi Paul, >>>>>>> >>>>>>> Thanks for the continued support. >>>>>>> >>>>>>> I have integrated Libreswan source code with my Linux-based project and >>>>>>> integrated binaries of the Libreswan's dependencies and I am able to >>>>>>> build the project. >>>>>>> >>>>>>> Can I access the ipsec executable in the built Linux project? If so, >>>>>>> where does the ipsec executable typically reside? I could not find it >>>>>>> under /usr/sbin, /usr/libexec/ipsec. >>>>>>> >>>>>>> Any suggestions. >>>>>>> >>>>>>> Thanks, >>>>>>> Balaji >>>>>>> >>>>>>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <[email protected]> wrote: >>>>>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote: >>>>>>>> >>>>>>>> > I have some general security-policies that just allow the traffic to >>>>>>>> > pass through the system (i.e., no IPsec is applied to those >>>>>>>> > traffic). Say for example, allow all traffic >>>>>>>> > of of certain source and destination IP and source and destination >>>>>>>> > port as 5060 (SIP traffic) not processed by IPsec. >>>>>>>> > >>>>>>>> > In that case, how do I convey this security-policy behavior to >>>>>>>> > Libreswan via the script? What parameters need to be configured? >>>>>>>> > Should I create a separate connection section? >>>>>>>> >>>>>>>> I would still recommend you do not do this. Double encryption isn't the >>>>>>>> worst these days. Excluding will allow people to see things even if not >>>>>>>> encrypted. For example, TLS still leaks SNI in cleartext. >>>>>>>> >>>>>>>> That said, you can simply create the exceptions by doing: >>>>>>>> >>>>>>>> Individual conn solutions: >>>>>>>> >>>>>>>> conn skip-tls-out >>>>>>>> left=%defaultroute >>>>>>>> right=0.0.0.0 >>>>>>>> leftprotoport=tcp/0 >>>>>>>> rightprotoport=tcp/443 >>>>>>>> authby=never >>>>>>>> auto=route >>>>>>>> >>>>>>>> You would do something similar but flipped for incoming TLS. If there >>>>>>>> is >>>>>>>> a mismatch of these between hosts, all communication will fail because >>>>>>>> whoever does not have the "cleartext hole" will drop the received clear >>>>>>>> text traffic. >>>>>>>> >>>>>>>> Mesh solution: >>>>>>>> >>>>>>>> When using mesh encryption (Oportunistic IPsec), you can also specify >>>>>>>> the nodes for specific "clear" using protocols and ports. In general, >>>>>>>> longest prefix first wins with these type of rule matchines >>>>>>>> >>>>>>>> # /etc/ipsec.d/policies/private >>>>>>>> 10.0.0.0/8 >>>>>>>> >>>>>>>> # /etc/ipsec.d/policies/clear >>>>>>>> 10.0.0.0/24 tcp 0 443 >>>>>>>> 1.0.0.0/0 tcp 443 0 >>>>>>>> >>>>>>>> >>>>>>>> Paul
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
