On Sun 31 May 2020, 03:53 <[email protected] wrote:
Send Swan-dev mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.libreswan.org/mailman/listinfo/swan-dev
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Swan-dev digest..."
Today's Topics:
1. Re: Integrating Libreswan for IKEv2 and IPsec (Paul Wouters)
----------------------------------------------------------------------
Message: 1
Date: Sat, 30 May 2020 22:52:53 -0400
From: Paul Wouters <[email protected]>
To: Balaji Thoguluva <[email protected]>
Cc: [email protected]
Subject: Re: [Swan-dev] Integrating Libreswan for IKEv2 and IPsec
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Most of XFRM and ESP
Paul
Sent from my iPhone
> On May 30, 2020, at 21:23, Balaji Thoguluva <[email protected]> wrote:
>
> ?
> Hi Paul et al.,
>
> If I assume the above error is because the required kernel modules
required by Libreswan are not
included or built with the Linux kernel, can anybody refer me to the list
of kernel modules that needs
to be included required by the Libreswan that would avoid this error?
>
> If my assumption is not correct, please advise me on how to proceed
further.
>
> Thanks,
> Balaji
>
>> On Sat, May 30, 2020 at 6:34 PM Balaji Thoguluva <[email protected]>
wrote:
>> Hi All,
>>
>> Please ignore my previous question.
>>
>> I was able to proceed further. Now I am able to get the IKE
negotiation going successfully but when
it attempts to install SA's to Linux kernel, it runs into an error. Here
is the pluto logs.
>>
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: initiating v2
parent SA
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local IKE
proposals for radius (IKE SA
initiator selecting KE):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1536
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: STATE_PARENT_I1:
sent v2I1, expected v2R1
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: WARNING:
connection radius PSK length of 6
bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #1: local ESP/AH
proposals for radius (IKE SA
initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: STATE_PARENT_I2:
sent v2I2, expected v2R2
{auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP1536}
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: IKEv2 mode peer
ID is ID_IPV4_ADDR:
'10.196.175.174'
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: WARNING:
connection radius PSK length of 6
bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: Authenticated
using authby=secret
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink
response for Add SA
[email protected] included errno 93: Protocol not supported
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2:
setup_half_ipsec_sa() hit fail:
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: deleting state
(STATE_PARENT_I2) and NOT
sending notification
>> May 30 19:44:33 [localhost] pluto[6455]: "radius" #2: ERROR: netlink
response for Del SA
[email protected] included errno 3: No such process
>>
>> Am I missing anything and any idea on how to overcome this error?
>>
>> Advance thanks.
>>
>> Regards,
>> Balaji
>>
>>> On Tue, May 26, 2020 at 3:52 PM Balaji Thoguluva <[email protected]>
wrote:
>>> I attempted to specify the IP address explicitly as a command line
argument, but it still fails to
bind for some reason. Am I running into some permission issue?
>>>
>>> ~ # ifconfig
>>> wancom0 Link encap:Ethernet HWaddr 00:08:25:A4:09:10
>>> inet addr:10.196.172.114 Bcast:10.196.255.255
Mask:255.255.128.0
>>> inet6 addr: fe80::208:25ff:fea4:910/64 Scope:Link
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> RX packets:3871219 errors:0 dropped:1079 overruns:0 frame:0
>>> TX packets:35917 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:1000
>>> RX bytes:260061626 (248.0 MiB) TX bytes:7536742 (7.1 MiB)
>>> Memory:f7580000-f75fffff
>>>
>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
--stderrlog
>>> --interface 10.196.172.114 --listen 10.196.172.114
>>> May 26 19:21:26.049457: bind() will be filtered for 10.196.172.114
>>> Pluto initialized
>>> May 26 19:21:26.049752: NSS DB directory: sql:/etc/ipsec.d
>>> May 26 19:21:26.049834: Initializing NSS
>>> May 26 19:21:26.049846: Opening NSS database "sql:/etc/ipsec.d"
read-only
>>> May 26 19:21:26.129870: NSS initialized
>>> May 26 19:21:26.129884: NSS crypto library initialized
>>> May 26 19:21:26.129889: FIPS HMAC integrity support [disabled]
>>> May 26 19:21:26.129971: libcap-ng support [enabled]
>>> May 26 19:21:26.129982: Linux audit support [disabled]
>>> May 26 19:21:26.129988: Starting Pluto (Libreswan Version 3.25
XFRM(netkey) FORK
PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:13283
>>> May 26 19:21:26.129994: core dump dir: /run/pluto
>>> May 26 19:21:26.129999: secrets file: /etc/ipsec.secrets
>>> May 26 19:21:26.130003: leak-detective disabled
>>> May 26 19:21:26.130008: NSS crypto [enabled]
>>> May 26 19:21:26.130011: XAUTH PAM support [disabled]
>>> May 26 19:21:26.130058: NAT-Traversal support [enabled]
>>> May 26 19:21:26.130077: Initializing libevent in pthreads mode:
headers: 2.0.21-stable (2001500);
library: 2.0.21-stable (2001500)
>>> May 26 19:21:26.130193: Encryption algorithms:
>>> May 26 19:21:26.130201: AES_CCM_16 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm aes_ccm_c)
>>> May 26 19:21:26.130206: AES_CCM_12 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm_b)
>>> May 26 19:21:26.130212: AES_CCM_8 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm_a)
>>> May 26 19:21:26.130219: 3DES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS [*192]
(3des)
>>> May 26 19:21:26.130223: CAMELLIA_CTR IKEv1: ESP
IKEv2: ESP
{256,192,*128}
>>> May 26 19:21:26.130227: CAMELLIA_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (camellia)
>>> May 26 19:21:26.130231: AES_GCM_16 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm aes_gcm_c)
>>> May 26 19:21:26.130236: AES_GCM_12 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm_b)
>>> May 26 19:21:26.130239: AES_GCM_8 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm_a)
>>> May 26 19:21:26.130245: AES_CTR IKEv1: IKE ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aesctr)
>>> May 26 19:21:26.130249: AES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes)
>>> May 26 19:21:26.130253: SERPENT_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (serpent)
>>> May 26 19:21:26.130259: TWOFISH_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (twofish)
>>> May 26 19:21:26.130263: TWOFISH_SSH IKEv1: IKE
IKEv2: IKE ESP
{256,192,*128} (twofish_cbc_ssh)
>>> May 26 19:21:26.130267: CAST_CBC IKEv1: ESP
IKEv2: ESP {*128}
(cast)
>>> May 26 19:21:26.130272: NULL_AUTH_AES_GMAC IKEv1: ESP
IKEv2: ESP
{256,192,*128} (aes_gmac)
>>> May 26 19:21:26.130275: NULL IKEv1: ESP
IKEv2: ESP []
>>> May 26 19:21:26.130281: Hash algorithms:
>>> May 26 19:21:26.130285: MD5 IKEv1: IKE
IKEv2:
>>> May 26 19:21:26.130289: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
>>> May 26 19:21:26.130292: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2
sha256)
>>> May 26 19:21:26.130295: SHA2_384 IKEv1: IKE
IKEv2: FIPS (sha384)
>>> May 26 19:21:26.130299: SHA2_512 IKEv1: IKE
IKEv2: FIPS (sha512)
>>> May 26 19:21:26.130307: PRF algorithms:
>>> May 26 19:21:26.130310: HMAC_MD5 IKEv1: IKE
IKEv2: IKE (md5)
>>> May 26 19:21:26.130314: HMAC_SHA1 IKEv1: IKE
IKEv2: IKE FIPS (sha
sha1)
>>> May 26 19:21:26.130317: HMAC_SHA2_256 IKEv1: IKE
IKEv2: IKE FIPS (sha2
sha256 sha2_256)
>>> May 26 19:21:26.130321: HMAC_SHA2_384 IKEv1: IKE
IKEv2: IKE FIPS (sha384
sha2_384)
>>> May 26 19:21:26.130325: HMAC_SHA2_512 IKEv1: IKE
IKEv2: IKE FIPS (sha512
sha2_512)
>>> May 26 19:21:26.130328: AES_XCBC IKEv1:
IKEv2: IKE FIPS
(aes128_xcbc)
>>> May 26 19:21:26.130338: Integrity algorithms:
>>> May 26 19:21:26.130342: HMAC_MD5_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (md5
hmac_md5)
>>> May 26 19:21:26.130346: HMAC_SHA1_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha
sha1 sha1_96 hmac_sha1)
>>> May 26 19:21:26.130350: HMAC_SHA2_512_256 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha512
sha2_512 hmac_sha2_512)
>>> May 26 19:21:26.130354: HMAC_SHA2_384_192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha384
sha2_384 hmac_sha2_384)
>>> May 26 19:21:26.130358: HMAC_SHA2_256_128 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha2
sha256 sha2_256 hmac_sha2_256)
>>> May 26 19:21:26.130363: AES_XCBC_96 IKEv1: ESP AH
IKEv2: IKE ESP AH FIPS
(aes_xcbc aes128_xcbc aes128_xcbc_96)
>>> May 26 19:21:26.130366: AES_CMAC_96 IKEv1: ESP AH
IKEv2: ESP AH FIPS
(aes_cmac)
>>> May 26 19:21:26.130370: NONE IKEv1: ESP
IKEv2: ESP FIPS (null)
>>> May 26 19:21:26.130379: DH algorithms:
>>> May 26 19:21:26.130382: NONE IKEv1:
IKEv2: IKE ESP AH (null
dh0)
>>> May 26 19:21:26.130386: MODP1024 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh2)
>>> May 26 19:21:26.130389: MODP1536 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh5)
>>> May 26 19:21:26.130393: MODP2048 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh14)
>>> May 26 19:21:26.130396: MODP3072 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh15)
>>> May 26 19:21:26.130400: MODP4096 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh16)
>>> May 26 19:21:26.130403: MODP6144 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh17)
>>> May 26 19:21:26.130407: MODP8192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh18)
>>> May 26 19:21:26.130411: DH19 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_256)
>>> May 26 19:21:26.130414: DH20 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_384)
>>> May 26 19:21:26.130418: DH21 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_521)
>>> May 26 19:21:26.130422: DH23 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
>>> May 26 19:21:26.130425: DH24 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
>>> May 26 19:21:26.132693: starting up 7 crypto helpers
>>> May 26 19:21:26.132724: started thread for crypto helper 0
>>> May 26 19:21:26.132740: started thread for crypto helper 1
>>> May 26 19:21:26.132744: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.132756: started thread for crypto helper 2
>>> May 26 19:21:26.132762: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.132794: started thread for crypto helper 3
>>> May 26 19:21:26.132796: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.132814: started thread for crypto helper 4
>>> May 26 19:21:26.132758: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.133265: started thread for crypto helper 5
>>> May 26 19:21:26.133267: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.133292: started thread for crypto helper 6
>>> May 26 19:21:26.133296: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.133320: Using Linux XFRM/NETKEY IPsec interface code
on 4.14.35
>>> May 26 19:21:26.132829: seccomp security for crypto helper not
supported
>>> May 26 19:21:26.266276: seccomp security not supported
>>> May 26 19:21:26.267538: added connection description "radius"
>>> May 26 19:21:26.267588: listening for IKE messages
>>> May 26 19:21:26.267609: FATAL ERROR: bind() failed in
find_raw_ifaces4(). Errno 98: Address
already in use
>>> May 26 19:21:26.267619: "radius": deleting non-instance connection
>>> connect(pluto_ctl) failed: No such file or directory
>>> ~ #
>>>
>>> Thanks,
>>> Balaji
>>>
>>>> On Tue, May 26, 2020 at 3:01 PM Balaji Thoguluva
<[email protected]> wrote:
>>>> Thanks Paul.
>>>>
>>>> Another question.
>>>>
>>>> I have integrated Libreswan source code and its dependent binaries
to my Linux based project.
Please note that the Linux OS I have is not a full-blown OS but a
stripped down version with limited
features.
>>>>
>>>> When I try to invoke pluto like this,
>>>>
>>>> ~ # /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
--stderrlog
>>>> Pluto initialized
>>>> May 26 18:22:44.640004: NSS DB directory: sql:/etc/ipsec.d
>>>> May 26 18:22:44.640085: Initializing NSS
>>>> May 26 18:22:44.640092: Opening NSS database "sql:/etc/ipsec.d"
read-only
>>>> May 26 18:22:44.749626: NSS initialized
>>>> May 26 18:22:44.749643: NSS crypto library initialized
>>>> May 26 18:22:44.749649: FIPS HMAC integrity support [disabled]
>>>> May 26 18:22:44.749770: libcap-ng support [enabled]
>>>> May 26 18:22:44.749778: Linux audit support [disabled]
>>>> May 26 18:22:44.749786: Starting Pluto (Libreswan Version 3.25
XFRM(netkey) FORK
PTHREAD_SETSCHEDPRIO NSS (AVA copy) LIBCAP_NG) pid:11445
>>>> May 26 18:22:44.749792: core dump dir: /run/pluto
>>>> May 26 18:22:44.749801: secrets file: /etc/ipsec.secrets
>>>> May 26 18:22:44.749808: leak-detective disabled
>>>> May 26 18:22:44.749814: NSS crypto [enabled]
>>>> May 26 18:22:44.749819: XAUTH PAM support [disabled]
>>>> May 26 18:22:44.749926: NAT-Traversal support [enabled]
>>>> May 26 18:22:44.749958: Initializing libevent in pthreads mode:
headers: 2.0.21-stable (2001500);
library: 2.0.21-stable (2001500)
>>>> May 26 18:22:44.750135: Encryption algorithms:
>>>> May 26 18:22:44.750148: AES_CCM_16 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm aes_ccm_c)
>>>> May 26 18:22:44.750156: AES_CCM_12 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm_b)
>>>> May 26 18:22:44.750164: AES_CCM_8 IKEv1: ESP
IKEv2: ESP FIPS
{256,192,*128} (aes_ccm_a)
>>>> May 26 18:22:44.750174: 3DES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS [*192]
(3des)
>>>> May 26 18:22:44.750182: CAMELLIA_CTR IKEv1: ESP
IKEv2: ESP
{256,192,*128}
>>>> May 26 18:22:44.750190: CAMELLIA_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (camellia)
>>>> May 26 18:22:44.750198: AES_GCM_16 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm aes_gcm_c)
>>>> May 26 18:22:44.750206: AES_GCM_12 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm_b)
>>>> May 26 18:22:44.750213: AES_GCM_8 IKEv1: ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes_gcm_a)
>>>> May 26 18:22:44.750224: AES_CTR IKEv1: IKE ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aesctr)
>>>> May 26 18:22:44.750231: AES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS
{256,192,*128} (aes)
>>>> May 26 18:22:44.750240: SERPENT_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (serpent)
>>>> May 26 18:22:44.750248: TWOFISH_CBC IKEv1: IKE ESP
IKEv2: IKE ESP
{256,192,*128} (twofish)
>>>> May 26 18:22:44.750255: TWOFISH_SSH IKEv1: IKE
IKEv2: IKE ESP
{256,192,*128} (twofish_cbc_ssh)
>>>> May 26 18:22:44.750262: CAST_CBC IKEv1: ESP
IKEv2: ESP {*128}
(cast)
>>>> May 26 18:22:44.750280: NULL_AUTH_AES_GMAC IKEv1: ESP
IKEv2: ESP
{256,192,*128} (aes_gmac)
>>>> May 26 18:22:44.750287: NULL IKEv1: ESP
IKEv2: ESP []
>>>> May 26 18:22:44.750298: Hash algorithms:
>>>> May 26 18:22:44.750304: MD5 IKEv1: IKE
IKEv2:
>>>> May 26 18:22:44.750311: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
>>>> May 26 18:22:44.750325: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2
sha256)
>>>> May 26 18:22:44.750333: SHA2_384 IKEv1: IKE
IKEv2: FIPS
(sha384)
>>>> May 26 18:22:44.750340: SHA2_512 IKEv1: IKE
IKEv2: FIPS
(sha512)
>>>> May 26 18:22:44.750354: PRF algorithms:
>>>> May 26 18:22:44.750360: HMAC_MD5 IKEv1: IKE
IKEv2: IKE (md5)
>>>> May 26 18:22:44.750369: HMAC_SHA1 IKEv1: IKE
IKEv2: IKE FIPS (sha
sha1)
>>>> May 26 18:22:44.750377: HMAC_SHA2_256 IKEv1: IKE
IKEv2: IKE FIPS (sha2
sha256 sha2_256)
>>>> May 26 18:22:44.750383: HMAC_SHA2_384 IKEv1: IKE
IKEv2: IKE FIPS (sha384
sha2_384)
>>>> May 26 18:22:44.750389: HMAC_SHA2_512 IKEv1: IKE
IKEv2: IKE FIPS (sha512
sha2_512)
>>>> May 26 18:22:44.750396: AES_XCBC IKEv1:
IKEv2: IKE FIPS
(aes128_xcbc)
>>>> May 26 18:22:44.750411: Integrity algorithms:
>>>> May 26 18:22:44.750420: HMAC_MD5_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (md5
hmac_md5)
>>>> May 26 18:22:44.750426: HMAC_SHA1_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha
sha1 sha1_96 hmac_sha1)
>>>> May 26 18:22:44.750432: HMAC_SHA2_512_256 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha512
sha2_512 hmac_sha2_512)
>>>> May 26 18:22:44.750439: HMAC_SHA2_384_192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha384
sha2_384 hmac_sha2_384)
>>>> May 26 18:22:44.750447: HMAC_SHA2_256_128 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha2
sha256 sha2_256 hmac_sha2_256)
>>>> May 26 18:22:44.750453: AES_XCBC_96 IKEv1: ESP AH
IKEv2: IKE ESP AH FIPS
(aes_xcbc aes128_xcbc aes128_xcbc_96)
>>>> May 26 18:22:44.750460: AES_CMAC_96 IKEv1: ESP AH
IKEv2: ESP AH FIPS
(aes_cmac)
>>>> May 26 18:22:44.750466: NONE IKEv1: ESP
IKEv2: ESP FIPS (null)
>>>> May 26 18:22:44.750491: DH algorithms:
>>>> May 26 18:22:44.750499: NONE IKEv1:
IKEv2: IKE ESP AH (null
dh0)
>>>> May 26 18:22:44.750506: MODP1024 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh2)
>>>> May 26 18:22:44.750513: MODP1536 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh5)
>>>> May 26 18:22:44.750527: MODP2048 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh14)
>>>> May 26 18:22:44.750534: MODP3072 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh15)
>>>> May 26 18:22:44.750540: MODP4096 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh16)
>>>> May 26 18:22:44.750546: MODP6144 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh17)
>>>> May 26 18:22:44.750552: MODP8192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh18)
>>>> May 26 18:22:44.750559: DH19 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_256)
>>>> May 26 18:22:44.750566: DH20 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_384)
>>>> May 26 18:22:44.750574: DH21 IKEv1: IKE
IKEv2: IKE ESP AH FIPS
(ecp_521)
>>>> May 26 18:22:44.750579: DH23 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
>>>> May 26 18:22:44.750586: DH24 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
>>>> May 26 18:22:44.755598: starting up 7 crypto helpers
>>>> May 26 18:22:44.755652: started thread for crypto helper 0
>>>> May 26 18:22:44.755655: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755689: started thread for crypto helper 1
>>>> May 26 18:22:44.755704: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755721: started thread for crypto helper 2
>>>> May 26 18:22:44.755723: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755761: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755761: started thread for crypto helper 3
>>>> May 26 18:22:44.755798: started thread for crypto helper 4
>>>> May 26 18:22:44.755799: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755836: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755836: started thread for crypto helper 5
>>>> May 26 18:22:44.755884: started thread for crypto helper 6
>>>> May 26 18:22:44.755885: seccomp security for crypto helper not
supported
>>>> May 26 18:22:44.755929: Using Linux XFRM/NETKEY IPsec interface code
on 4.14.35
>>>> May 26 18:22:44.927272: seccomp security not supported
>>>> May 26 18:22:44.929155: added connection description "radius"
>>>> May 26 18:22:44.929200: listening for IKE messages
>>>> May 26 18:22:44.929229: FATAL ERROR: bind() failed in
find_raw_ifaces4(). Errno 98: Address
already in use
>>>> May 26 18:22:44.929240: "radius": deleting non-instance connection
>>>> connect(pluto_ctl) failed: No such file or directory
>>>> ~ #
>>>>
>>>> I have the following conf file at /etc/ipsec.d/radius.conf
>>>>
>>>> conn radius
>>>> left=10.196.175.174
>>>> leftid=10.196.175.174
>>>> leftsubnet=10.196.175.174/32
>>>> right=10.196.172.114
>>>> rightid=10.196.172.114
>>>> rightsubnet=10.196.172.114/32
>>>> auto=start
>>>>
>>>> 10.196.172.114 is my local Linux interface and 10.196.175.174 is my
peer IP address where I want
to establish an IKE connection to.
>>>>
>>>> ~ # netstat -an | grep 500
>>>> udp 0 0 172.16.20.62:500 0.0.0.0:*
>>>> udp 0 0 127.0.0.1:45006 0.0.0.0:*
>>>> udp 0 0 172.16.20.62:4500 0.0.0.0:*
>>>> unix 2 [ ] DGRAM 50035
>>>>
>>>> ~ # netstat -an | grep 4500
>>>> udp 0 0 127.0.0.1:45006 0.0.0.0:*
>>>> udp 0 0 172.16.20.62:4500 0.0.0.0:*
>>>> ~ #
>>>>
>>>> I don't see any other application binding to this port from
10.196.172.114 address.
>>>>
>>>> Any idea on what I am missing here?
>>>>
>>>> Also a related question, if I plan to use VLAN on the network
interface in future, where do I
specify the vlan-id in the Libreswan configuration?
>>>>
>>>> Thanks,
>>>> Balaji
>>>>
>>>>
>>>>> On Sat, May 23, 2020 at 11:09 PM Paul Wouters <[email protected]>
wrote:
>>>>> Normally, only the ?ipsec? command is in a system sbin directory.
All sub commands, like ?ipsec
pluto? or ?ipsec auto? are in the libexec/ipsec directory. Those starting
with an underscore are
deemed ?internal only? and should not be called by humans.
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>>> On May 23, 2020, at 21:29, Balaji Thoguluva <[email protected]>
wrote:
>>>>>>>
>>>>>> ?
>>>>>> Please ignore my question in my previous email. I found that it is
in /usr/local/sbin.
>>>>>>
>>>>>> Thanks,
>>>>>> Balaji
>>>>>>
>>>>>>> On Sat, May 23, 2020 at 1:23 PM Balaji Thoguluva
<[email protected]> wrote:
>>>>>>> Hi Paul,
>>>>>>>
>>>>>>> Thanks for the continued support.
>>>>>>>
>>>>>>> I have integrated Libreswan source code with my Linux-based
project and integrated binaries of
the Libreswan's dependencies and I am able to build the project.
>>>>>>>
>>>>>>> Can I access the ipsec executable in the built Linux project? If
so, where does the ipsec
executable typically reside? I could not find it under /usr/sbin,
/usr/libexec/ipsec.
>>>>>>>
>>>>>>> Any suggestions.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Balaji
>>>>>>>
>>>>>>>> On Mon, May 18, 2020 at 3:05 PM Paul Wouters <[email protected]>
wrote:
>>>>>>>> On Mon, 18 May 2020, Balaji Thoguluva wrote:
>>>>>>>>
>>>>>>>> > I have some general security-policies that just allow the
traffic to pass through the
system (i.e., no IPsec is applied to those traffic). Say for example,
allow all traffic
>>>>>>>> > of of certain source and destination IP and source and
destination port as 5060 (SIP
traffic) not processed by IPsec.
>>>>>>>> >
>>>>>>>> > In that case, how do I convey this security-policy behavior to
Libreswan via the script?
What parameters need to be configured? Should I create a separate
connection section?
>>>>>>>>
>>>>>>>> I would still recommend you do not do this. Double encryption
isn't the
>>>>>>>> worst these days. Excluding will allow people to see things even
if not
>>>>>>>> encrypted. For example, TLS still leaks SNI in cleartext.
>>>>>>>>
>>>>>>>> That said, you can simply create the exceptions by doing:
>>>>>>>>
>>>>>>>> Individual conn solutions:
>>>>>>>>
>>>>>>>> conn skip-tls-out
>>>>>>>> left=%defaultroute
>>>>>>>> right=0.0.0.0
>>>>>>>> leftprotoport=tcp/0
>>>>>>>> rightprotoport=tcp/443
>>>>>>>> authby=never
>>>>>>>> auto=route
>>>>>>>>
>>>>>>>> You would do something similar but flipped for incoming TLS. If
there is
>>>>>>>> a mismatch of these between hosts, all communication will fail
because
>>>>>>>> whoever does not have the "cleartext hole" will drop the
received clear
>>>>>>>> text traffic.
>>>>>>>>
>>>>>>>> Mesh solution:
>>>>>>>>
>>>>>>>> When using mesh encryption (Oportunistic IPsec), you can also
specify
>>>>>>>> the nodes for specific "clear" using protocols and ports. In
general,
>>>>>>>> longest prefix first wins with these type of rule matchines
>>>>>>>>
>>>>>>>> # /etc/ipsec.d/policies/private
>>>>>>>> 10.0.0.0/8
>>>>>>>>
>>>>>>>> # /etc/ipsec.d/policies/clear
>>>>>>>> 10.0.0.0/24 tcp 0 443
>>>>>>>> 1.0.0.0/0 tcp 443 0
>>>>>>>>
>>>>>>>>
>>>>>>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.libreswan.org/pipermail/swan-dev/attachments/20200530/3a76aade/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
------------------------------
End of Swan-dev Digest, Vol 88, Issue 27
****************************************
