Re: [Swan] libreswan on amazon web services to remote libreswan installation

[Paul Wouters]

On Thu, 5 Mar 2015, Aaron wrote:

Thanks a lot Paul. A few more questions.
1) Do I also need leftcert=leftnickname and rightcert=rightnickname ?

When using certificates you need something yes. Usually you install the
CA cert and client cert/key using a PKCS#12 file on each node. You
can use "ipsec import file.p12" for that.

2) Also in the ipsec.secrets file is a password needed at the : RSA nickname 
"?password?"  My NSS database has a password but I haven't added a
password to my left and right certs explicitly.

The importing deals with the password. Then it is in the NSS store and
does not need a password itself. So just add :RSA "nickname" without
specifying a password. In libreswan-3.13 or 3.14 you will be able
to amit the entire entry in ipsec.secrets.

3) On the right side after running ipsec verify I receive this info where many 
more options appear to be enabled which seems odd.

XFRM larval drop                         [OK]
Pluto ipsec.conf syntax                           [OK]
Hardware random device                             [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter                                 [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/dummy0/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/gre0/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/gretap0/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/ip6_vti0/rp_filter       [ENABLED]
 /proc/sys/net/ipv4/conf/ip6gre0/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/sit0/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/teql0/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/tunl0/rp_filter           [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled

That is best disabled in /etc/sysctl.conf

4) In addition in the interoperability instructions it mentions adding this 
info to the loopback interface if running under EC2.  Do you find it
necessary?

/etc/sysconfig/network-scripts/ifcfg-lo:elastic:

DEVICE=lo:elastic
# use your elastic ip here
IPADDR=a.b.c.d
NETMASK=255.255.255.255
ONBOOT=yes
NAME=elasticIP

It is neccessary if you need to build packets with that source ip to
enter the tunnel. If you tunnel is for leftsubnet=10.1.2.0/24 you
don't need it, but if you tunnel has leftsubnet=a.b.c.d/32 you need it.

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan