Your psk is only 6 character long which wont work with the encryptions algorithms selected. Make it up to 32 characters.
On Sun 31 May 2020, 03:53 <[email protected] wrote: > Send Swan-dev mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.libreswan.org/mailman/listinfo/swan-dev > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Swan-dev digest..." > > > Today's Topics: > > 1. Re: Integrating Libreswan for IKEv2 and IPsec (Paul Wouters) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 30 May 2020 22:52:53 -0400 > From: Paul Wouters <[email protected]> > To: Balaji Thoguluva <[email protected]> > Cc: [email protected] > Subject: Re: [Swan-dev] Integrating Libreswan for IKEv2 and IPsec > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Most of XFRM and ESP > > Paul > > Sent from my iPhone > > > On May 30, 2020, at 21:23, Balaji Thoguluva <[email protected]> wrote: > > > > ? > > Hi Paul et al., > > > > If I assume the above error is because the required kernel modules > required by Libreswan are not included or built with the Linux kernel, can > anybody refer me to the list of kernel modules that needs to be included > required by the Libreswan that would avoid this error? > > > > If my assumption is not correct, please advise me on how to proceed > further. > > > > Thanks, > > Balaji > > > >> On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <[email protected]> > wrote: > >> Hi All, > >> > >> Please ignore my previous question. > >> > >> I was able to proceed further. Now I am able to get the IKE negotiation > going successfully but when it attempts to install SA's to Linux kernel, it > runs into an error. Here is the pluto logs. > >> > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2 > parent SA > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE > proposals for radius (IKE SA initiator selecting KE): > 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536 > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1: > sent v2I1, expected v2R1 > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING: > connection radius PSK length of 6 bytes is too short for sha2_256 PRF in > FIPS mode (16 bytes required) > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH > proposals for radius (IKE SA initiator emitting ESP/AH proposals): > 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2: > sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 > prf=sha2_256 group=MODP1536} > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer > ID is ID_IPV4_ADDR: '10.196.175.174' > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING: > connection radius PSK length of 6 bytes is too short for sha2_256 PRF in > FIPS mode (16 bytes required) > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated > using authby=secret > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink > response for Add SA [email protected] included errno 93: > Protocol not supported > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: > setup_half_ipsec_sa() hit fail: > > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state > (STATE_PARENT_I2) and NOT sending notification > >> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink > response for Del SA [email protected] included errno 3: No such > process > >> > >> Am I missing anything and any idea on how to overcome this error? > >> > >> Advance thanks. > >> > >> Regards, > >> Balaji > >> > >>> On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <[email protected]> > wrote: > >>> I attempted to specify the IP address explicitly as a command line > argument, but it still fails to bind for some reason. Am I running into > some permission issue? > >>> > >>> ~ # ifconfig > >>> wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10 > >>> inet addr:10.196.172.114 Bcast:10.196.255.255 > Mask:255.255.128.0 > >>> inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link > >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >>> RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0 > >>> TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0 > >>> collisions:0 txqueuelen:1000 > >>> RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB) > >>> Memory:f7580000-f75fffff > >>> > >>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork > --stderrlog > >>> --interface 10.196.172.114 --listen 10.196.172.114 > >>> May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114 > >>> Pluto initialized > >>> May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d > >>> May 26 19:21:26.049834: Initializing NSS > >>> May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d" > read-only > >>> May 26 19:21:26.129870: NSS initialized > >>> May 26 19:21:26.129884: NSS crypto library initialized > >>> May 26 19:21:26.129889: FIPS HMAC integrity support [disabled] > >>> May 26 19:21:26.129971: libcap-ng support [enabled] > >>> May 26 19:21:26.129982: Linux audit support [disabled] > >>> May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25 > XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283 > >>> May 26 19:21:26.129994: core dump dir: /run/pluto > >>> May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets > >>> May 26 19:21:26.130003: leak-detective disabled > >>> May 26 19:21:26.130008: NSS crypto [enabled] > >>> May 26 19:21:26.130011: XAUTH PAM support [disabled] > >>> May 26 19:21:26.130058: NAT-Traversal support [enabled] > >>> May 26 19:21:26.130077: Initializing libevent in pthreads mode: > headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) > >>> May 26 19:21:26.130193: Encryption algorithms: > >>> May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) > >>> May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) > >>> May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) > >>> May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP > IKEv2: IKE ESP FIPS [*192] (3des) > >>> May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP > IKEv2: ESP {256,192,*128} > >>> May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (camellia) > >>> May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) > >>> May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) > >>> May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) > >>> May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) > >>> May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes) > >>> May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (serpent) > >>> May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (twofish) > >>> May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE > IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh) > >>> May 26 19:21:26.130267: CAST_CBC IKEv1: ESP > IKEv2: ESP {*128} (cast) > >>> May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP > IKEv2: ESP {256,192,*128} (aes_gmac) > >>> May 26 19:21:26.130275: NULL IKEv1: ESP > IKEv2: ESP [] > >>> May 26 19:21:26.130281: Hash algorithms: > >>> May 26 19:21:26.130285: MD5 IKEv1: IKE > IKEv2: > >>> May 26 19:21:26.130289: SHA1 IKEv1: IKE > IKEv2: FIPS (sha) > >>> May 26 19:21:26.130292: SHA2_256 IKEv1: IKE > IKEv2: FIPS (sha2 sha256) > >>> May 26 19:21:26.130295: SHA2_384 IKEv1: IKE > IKEv2: FIPS (sha384) > >>> May 26 19:21:26.130299: SHA2_512 IKEv1: IKE > IKEv2: FIPS (sha512) > >>> May 26 19:21:26.130307: PRF algorithms: > >>> May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE > IKEv2: IKE (md5) > >>> May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE > IKEv2: IKE FIPS (sha sha1) > >>> May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE > IKEv2: IKE FIPS (sha2 sha256 sha2_256) > >>> May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE > IKEv2: IKE FIPS (sha384 sha2_384) > >>> May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE > IKEv2: IKE FIPS (sha512 sha2_512) > >>> May 26 19:21:26.130328: AES_XCBC IKEv1: > IKEv2: IKE FIPS (aes128_xcbc) > >>> May 26 19:21:26.130338: Integrity algorithms: > >>> May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (md5 hmac_md5) > >>> May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) > >>> May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) > >>> May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) > >>> May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) > >>> May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH > IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96) > >>> May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH > IKEv2: ESP AH FIPS (aes_cmac) > >>> May 26 19:21:26.130370: NONE IKEv1: ESP > IKEv2: ESP FIPS (null) > >>> May 26 19:21:26.130379: DH algorithms: > >>> May 26 19:21:26.130382: NONE IKEv1: > IKEv2: IKE ESP AH (null dh0) > >>> May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (dh2) > >>> May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (dh5) > >>> May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh14) > >>> May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh15) > >>> May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh16) > >>> May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh17) > >>> May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh18) > >>> May 26 19:21:26.130411: DH19 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_256) > >>> May 26 19:21:26.130414: DH20 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_384) > >>> May 26 19:21:26.130418: DH21 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_521) > >>> May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS > >>> May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS > >>> May 26 19:21:26.132693: starting up 7 crypto helpers > >>> May 26 19:21:26.132724: started thread for crypto helper 0 > >>> May 26 19:21:26.132740: started thread for crypto helper 1 > >>> May 26 19:21:26.132744: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.132756: started thread for crypto helper 2 > >>> May 26 19:21:26.132762: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.132794: started thread for crypto helper 3 > >>> May 26 19:21:26.132796: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.132814: started thread for crypto helper 4 > >>> May 26 19:21:26.132758: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.133265: started thread for crypto helper 5 > >>> May 26 19:21:26.133267: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.133292: started thread for crypto helper 6 > >>> May 26 19:21:26.133296: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code > on 4.14.35 > >>> May 26 19:21:26.132829: seccomp security for crypto helper not > supported > >>> May 26 19:21:26.266276: seccomp security not supported > >>> May 26 19:21:26.267538: added connection description "radius" > >>> May 26 19:21:26.267588: listening for IKE messages > >>> May 26 19:21:26.267609: FATAL ERROR: bind() failed in > find_raw_ifaces4(). Errno 98: Address already in use > >>> May 26 19:21:26.267619: "radius": deleting non-instance connection > >>> connect(pluto_ctl) failed: No such file or directory > >>> ~ # > >>> > >>> Thanks, > >>> Balaji > >>> > >>>> On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva <[email protected]> > wrote: > >>>> Thanks Paul. > >>>> > >>>> Another question. > >>>> > >>>> I have integrated Libreswan source code and its dependent binaries to > my Linux based project. Please note that the Linux OS I have is not a > full-blown OS but a stripped down version with limited features. > >>>> > >>>> When I try to invoke pluto like this, > >>>> > >>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork > --stderrlog > >>>> Pluto initialized > >>>> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d > >>>> May 26 18:22:44.640085: Initializing NSS > >>>> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d" > read-only > >>>> May 26 18:22:44.749626: NSS initialized > >>>> May 26 18:22:44.749643: NSS crypto library initialized > >>>> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled] > >>>> May 26 18:22:44.749770: libcap-ng support [enabled] > >>>> May 26 18:22:44.749778: Linux audit support [disabled] > >>>> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25 > XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445 > >>>> May 26 18:22:44.749792: core dump dir: /run/pluto > >>>> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets > >>>> May 26 18:22:44.749808: leak-detective disabled > >>>> May 26 18:22:44.749814: NSS crypto [enabled] > >>>> May 26 18:22:44.749819: XAUTH PAM support [disabled] > >>>> May 26 18:22:44.749926: NAT-Traversal support [enabled] > >>>> May 26 18:22:44.749958: Initializing libevent in pthreads mode: > headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) > >>>> May 26 18:22:44.750135: Encryption algorithms: > >>>> May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) > >>>> May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) > >>>> May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP > IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) > >>>> May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP > IKEv2: IKE ESP FIPS [*192] (3des) > >>>> May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP > IKEv2: ESP {256,192,*128} > >>>> May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (camellia) > >>>> May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) > >>>> May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) > >>>> May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) > >>>> May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) > >>>> May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP > IKEv2: IKE ESP FIPS {256,192,*128} (aes) > >>>> May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (serpent) > >>>> May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP > IKEv2: IKE ESP {256,192,*128} (twofish) > >>>> May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE > IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh) > >>>> May 26 18:22:44.750262: CAST_CBC IKEv1: ESP > IKEv2: ESP {*128} (cast) > >>>> May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP > IKEv2: ESP {256,192,*128} (aes_gmac) > >>>> May 26 18:22:44.750287: NULL IKEv1: ESP > IKEv2: ESP [] > >>>> May 26 18:22:44.750298: Hash algorithms: > >>>> May 26 18:22:44.750304: MD5 IKEv1: IKE > IKEv2: > >>>> May 26 18:22:44.750311: SHA1 IKEv1: IKE > IKEv2: FIPS (sha) > >>>> May 26 18:22:44.750325: SHA2_256 IKEv1: IKE > IKEv2: FIPS (sha2 sha256) > >>>> May 26 18:22:44.750333: SHA2_384 IKEv1: IKE > IKEv2: FIPS (sha384) > >>>> May 26 18:22:44.750340: SHA2_512 IKEv1: IKE > IKEv2: FIPS (sha512) > >>>> May 26 18:22:44.750354: PRF algorithms: > >>>> May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE > IKEv2: IKE (md5) > >>>> May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE > IKEv2: IKE FIPS (sha sha1) > >>>> May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE > IKEv2: IKE FIPS (sha2 sha256 sha2_256) > >>>> May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE > IKEv2: IKE FIPS (sha384 sha2_384) > >>>> May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE > IKEv2: IKE FIPS (sha512 sha2_512) > >>>> May 26 18:22:44.750396: AES_XCBC IKEv1: > IKEv2: IKE FIPS (aes128_xcbc) > >>>> May 26 18:22:44.750411: Integrity algorithms: > >>>> May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (md5 hmac_md5) > >>>> May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1) > >>>> May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512) > >>>> May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384) > >>>> May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256) > >>>> May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH > IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96) > >>>> May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH > IKEv2: ESP AH FIPS (aes_cmac) > >>>> May 26 18:22:44.750466: NONE IKEv1: ESP > IKEv2: ESP FIPS (null) > >>>> May 26 18:22:44.750491: DH algorithms: > >>>> May 26 18:22:44.750499: NONE IKEv1: > IKEv2: IKE ESP AH (null dh0) > >>>> May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (dh2) > >>>> May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH (dh5) > >>>> May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh14) > >>>> May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh15) > >>>> May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh16) > >>>> May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh17) > >>>> May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS (dh18) > >>>> May 26 18:22:44.750559: DH19 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_256) > >>>> May 26 18:22:44.750566: DH20 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_384) > >>>> May 26 18:22:44.750574: DH21 IKEv1: IKE > IKEv2: IKE ESP AH FIPS (ecp_521) > >>>> May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS > >>>> May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH > IKEv2: IKE ESP AH FIPS > >>>> May 26 18:22:44.755598: starting up 7 crypto helpers > >>>> May 26 18:22:44.755652: started thread for crypto helper 0 > >>>> May 26 18:22:44.755655: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755689: started thread for crypto helper 1 > >>>> May 26 18:22:44.755704: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755721: started thread for crypto helper 2 > >>>> May 26 18:22:44.755723: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755761: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755761: started thread for crypto helper 3 > >>>> May 26 18:22:44.755798: started thread for crypto helper 4 > >>>> May 26 18:22:44.755799: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755836: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755836: started thread for crypto helper 5 > >>>> May 26 18:22:44.755884: started thread for crypto helper 6 > >>>> May 26 18:22:44.755885: seccomp security for crypto helper not > supported > >>>> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code > on 4.14.35 > >>>> May 26 18:22:44.927272: seccomp security not supported > >>>> May 26 18:22:44.929155: added connection description "radius" > >>>> May 26 18:22:44.929200: listening for IKE messages > >>>> May 26 18:22:44.929229: FATAL ERROR: bind() failed in > find_raw_ifaces4(). Errno 98: Address already in use > >>>> May 26 18:22:44.929240: "radius": deleting non-instance connection > >>>> connect(pluto_ctl) failed: No such file or directory > >>>> ~ # > >>>> > >>>> I have the following conf file at /etc/ipsec.d/radius.conf > >>>> > >>>> conn radius > >>>> left=10.196.175.174 > >>>> leftid=10.196.175.174 > >>>> leftsubnet=10.196.175.174/32 > >>>> right=10.196.172.114 > >>>> rightid=10.196.172.114 > >>>> rightsubnet=10.196.172.114/32 > >>>> auto=start > >>>> > >>>> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my > peer IP address where I want to establish an IKE connection to. > >>>> > >>>> ~ # netstat -an | grep 500 > >>>> udp 0 0 172.16.20.62:500 0.0.0.0:* > > >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:* > > >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:* > > >>>> unix 2 [ ] DGRAM 50035 > >>>> > >>>> ~ # netstat -an | grep 4500 > >>>> udp 0 0 127.0.0.1:45006 0.0.0.0:* > > >>>> udp 0 0 172.16.20.62:4500 0.0.0.0:* > > >>>> ~ # > >>>> > >>>> I don't see any other application binding to this port from > 10.196.172.114 address. > >>>> > >>>> Any idea on what I am missing here? > >>>> > >>>> Also a related question, if I plan to use VLAN on the network > interface in future, where do I specify the vlan-id in the Libreswan > configuration? > >>>> > >>>> Thanks, > >>>> Balaji > >>>> > >>>> > >>>>> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <[email protected]> > wrote: > >>>>> Normally, only the ?ipsec? command is in a system sbin directory. > All sub commands, like ?ipsec pluto? or ?ipsec auto? are in the > libexec/ipsec directory. Those starting with an underscore are deemed > ?internal only? and should not be called by humans. > >>>>> > >>>>> Sent from my iPhone > >>>>> > >>>>>>> On May 23, 2020, at 21:29, Balaji Thoguluva <[email protected]> > wrote: > >>>>>>> > >>>>>> ? > >>>>>> Please ignore my question in my previous email. I found that it is > in /usr/local/sbin. > >>>>>> > >>>>>> Thanks, > >>>>>> Balaji > >>>>>> > >>>>>>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva < > [email protected]> wrote: > >>>>>>> Hi Paul, > >>>>>>> > >>>>>>> Thanks for the continued support. > >>>>>>> > >>>>>>> I have integrated Libreswan source code with my Linux-based > project and integrated binaries of the Libreswan's dependencies and I am > able to build the project. > >>>>>>> > >>>>>>> Can I access the ipsec executable in the built Linux project? If > so, where does the ipsec executable typically reside? I could not find it > under /usr/sbin, /usr/libexec/ipsec. > >>>>>>> > >>>>>>> Any suggestions. > >>>>>>> > >>>>>>> Thanks, > >>>>>>> Balaji > >>>>>>> > >>>>>>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <[email protected]> > wrote: > >>>>>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote: > >>>>>>>> > >>>>>>>> > I have some general security-policies that just allow the > traffic to pass through the system (i.e., no IPsec is applied to those > traffic). Say for example, allow all traffic > >>>>>>>> > of of certain source and destination IP and source and > destination port as 5060 (SIP traffic) not processed by IPsec. > >>>>>>>> > > >>>>>>>> > In that case, how do I convey this security-policy behavior to > Libreswan via the script? What parameters need to be configured? Should I > create a separate connection section? > >>>>>>>> > >>>>>>>> I would still recommend you do not do this. Double encryption > isn't the > >>>>>>>> worst these days. Excluding will allow people to see things even > if not > >>>>>>>> encrypted. For example, TLS still leaks SNI in cleartext. > >>>>>>>> > >>>>>>>> That said, you can simply create the exceptions by doing: > >>>>>>>> > >>>>>>>> Individual conn solutions: > >>>>>>>> > >>>>>>>> conn skip-tls-out > >>>>>>>> left=%defaultroute > >>>>>>>> right=0.0.0.0 > >>>>>>>> leftprotoport=tcp/0 > >>>>>>>> rightprotoport=tcp/443 > >>>>>>>> authby=never > >>>>>>>> auto=route > >>>>>>>> > >>>>>>>> You would do something similar but flipped for incoming TLS. If > there is > >>>>>>>> a mismatch of these between hosts, all communication will fail > because > >>>>>>>> whoever does not have the "cleartext hole" will drop the received > clear > >>>>>>>> text traffic. > >>>>>>>> > >>>>>>>> Mesh solution: > >>>>>>>> > >>>>>>>> When using mesh encryption (Oportunistic IPsec), you can also > specify > >>>>>>>> the nodes for specific "clear" using protocols and ports. In > general, > >>>>>>>> longest prefix first wins with these type of rule matchines > >>>>>>>> > >>>>>>>> # /etc/ipsec.d/policies/private > >>>>>>>> 10.0.0.0/8 > >>>>>>>> > >>>>>>>> # /etc/ipsec.d/policies/clear > >>>>>>>> 10.0.0.0/24 tcp 0 443 > >>>>>>>> 1.0.0.0/0 tcp 443 0 > >>>>>>>> > >>>>>>>> > >>>>>>>> Paul > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.libreswan.org/pipermail/swan-dev/attachments/20200530/3a76aade/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev > > > ------------------------------ > > End of Swan-dev Digest, Vol 88, Issue 27 > **************************************** >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
