Libreswan-xfrm-kernel-support

From Libreswan
Jump to navigation Jump to search

Here are gory details for Linux kernel support that you may run into. One recurring theme when Linux Kernel IPsec get a new feature usually the default is "N". And the distributions take that. However, when librewan start using the new feature we or someone often need to chase the various distributions get this feature enabled. The challenge of this model, as far as I see, is the libreswan, a userland application, has no easy way to require a kernel config option to be enabled or disabled.

Linux XFRM support

Recommended for modern generic kernel, say 4.14 or later

XFRMI 4.19 or later (libreswan 3.28)

# CONFIG_NET_KEY is not set
# CONFIG_NET_KEY_MIGRATE is not set

CONFIG_NFT_XFRM=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_TUNNEL=y

CONFIG_XFRM=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_INTERFACE=y
CONFIG_XFRM_IPCOMP=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_OFFLOAD=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_SUB_POLICY=y
CONFIG_INET6_XFRM_TUNNEL=y

CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_XCBC=y
CONFIG_CRYPTO_POLY1305=y
CONFIG_CRYPTO_SHA1_SSSE3=y
CONFIG_CRYPTO_SHA256_SSSE3=y
CONFIG_CRYPTO_SHA512_SSSE3=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=y
CONFIG_CRYPTO_CHACHA20=y
CONFIG_CRYPTO_SEED=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_ASYMMETRIC_KEY_TYPE=y

CONFIG_NET_IPIP=y
CONFIG_NET_IP_TUNNEL=y

CONFIG_INET_IPCOMP
CONFIG_XFRM_ESPINTCP # may be

CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y

CONFIG_INET_ESP_OFFLOAD=y #not only for XFRM HW but also for GRO layer 2 offload

CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=y

known issues

CONFIG_XFRM_STATISTICS 3.28

Some distributions, as of may 2019, #CONFIG_XFRM_STATISTICS is not set. This cause a run time error with libreswan "No XFRM kernel interface detected". You need a couple of patches or enable this in kernel. This is specific to libreswan 3.28. 3.29 has fixes for this issue. However, it is really good idea to enable

Mobike CONFIG_XFRM_MIGRATE does not work on Ubuntu

Linux kernel support mobike for ages possibly since 2.x. However some distributions has CONFIG_XFRM_MIGRATE disabled. One could argue mobike is securtiy risk hence it should be disabled. However, it is a risk probably fora a group of enviroments. And possibly the group that need mobike disabled is tweaking the kernel to their needs. So I think the major distributions should enable it. It is not enabled for historic reasons. Debian 10, Buster default kernels support mobike. There is open feature request 1835891


Mobike possible security issue

A possible security issue - some one create a IPsec connection to a LAN while physically(or wifi) connected to an administratively allowed network. Say special project allows VPN only when you present at a site. When MOBIKE is administratively allowed in kernel and libreswan, one could move this IPsec/VPN to their 3G connection and take the IPsec/VPN connection outside the permitted LAN, say home. Now this VPN keeps connection from any where. Many users don't have such setup. Because of that I argue the default kernel of distributions should allow MOBIKE.


Distribtions Default .cofig or the fragments

xfrm Kernel git repositories

Kernel configuration related bug reports and commits

Debian

Ubuntu

OpenWRT

  • Not supported yet, closed Feature request [1]