On Tue, 15 Jun 2021, Kozikowski, Mark wrote:
I am a new user, and am trying to configure and run a libreswan Mesh instance.
Welcome :)
Right now I have two nodes, and each is configured using the no-authorization setup as shown from the Libreswan wiki. I am using the exact ipsec.conf file from the wiki, except I am only using the clear-or-private: https://raw.githubusercontent.com/libreswan/libreswan/master/docs/examples/oe-upgrade-authnull.conf My problem seems to be related to FIPS. I noticed that /var/log/secure is stating that FIPS requires negotiationshunt and failureshut to be dropped. I believe that this is causing no communication between the two nodes.
The authby=null setting is not allowed in FIPS mode. FIPS requires proper authentication of peers before it is allowed to send any encrypted traffic. You should probably use the certificate based OE/mesh setup, eg: https://libreswan.org/wiki/HOWTO:_Enterprise_cloud_encryption https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec In such a setup, each node has its own certificate and all nodes share the same trusted root certificate CA. So you can still add nodes to the mesh without reconfiguring all other nodes, since existing nodes and new nodes all share the same root of trust via their certificates. Note that FIPS does not allow negotiationshunt=pass. That is, during the IKE negotiation, it is not possible to "leak" the traffic until the IPsec tunnel comes up. That can only be done in non-FIPS mode. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
