Libreswan Opportunistic IPsec using LetsEncrypt: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(Merged commits links added)
(grammatical corrections)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Introduction ==
== Introduction ==


Libreswan Opportunistic IPsec using LetsEncrypt is a project created during Google Summer of Code 2019. It adds a utility <code>letsencrypt</code> to the <code>ipsec</code>. letsencrypt invokes any of several utilities involved in controlling the Opportunistic Encryption system, running the specified {command} with the specified [argument] as if it had been invoked directly.
Libreswan Opportunistic IPsec using LetsEncrypt is a project created during Google Summer of Code 2019. It adds a utility <code>letsencrypt</code> to the <code>ipsec</code>. The <code>letsencrypt</code> program allows using various available utilities required to establish and control an Opportunistic connection. The letsencrypt program has several features, and can be used by running a specified {command} with a specified [argument].


e.g. <code>ipsec letsencrypt -h</code> lists the available commands.
It is a program in libreswan, which integrates libreswan with Opportunistic Encryption utilities. The script provides various OE functionality e.g., initial OE setup, testing configuration/connection, generating and updating Let's Encrypt certificates. The details about the utilities and using them is available in the [[ Documentation: Libreswan Opportunistic IPsec using LetsEncrypt ]]. Also, the documentation includes the sample output for each {command} and [argument].
 
It is a program in libreswan, which integrates libreswan with Opportunistic Encryption utilities. The script provides various OE functionality e.g. initial OE setup, testing configuration/connection, generating and updating Let's Encrypt certificates. The details about the utilities and using them can be found in the [[ Documentation: Libreswan Opportunistic IPsec using LetsEncrypt ]]. Also, the documentation includes the sample output for each {command} and [argument].


== Implementation ==
== Implementation ==
Line 17: Line 15:
* Can generate Let's Encrypt certificates for the server using certbot.
* Can generate Let's Encrypt certificates for the server using certbot.
* Generates the certbot configuration for reusing the private key.
* Generates the certbot configuration for reusing the private key.
* Enables automatic update of the generated certificates using cron tabs, keeping the private key same.
* Enables automatic update of the generated certificates using crontabs, keeping the private key same.
* Manual updating of keys also implemented.
* Manual updating of keys also implemented.
* Generates the #pkcs12 file.
* Generates the #pkcs12 file.
Line 25: Line 23:
* Displays OE connection status to the user.
* Displays OE connection status to the user.
* Displays the certificates installed in NSS database.
* Displays the certificates installed in NSS database.
* Disables ipsec and deletes configuration files saved in /etc/ipsec.d.
* Provides details about various available utilities, {commands} and [arguments].
* Provides details about various available utilities, {commands} and [arguments].


== Source code ==
== Source code ==


The source code of Libreswan Opportunistic IPsec using LetsEncrypt is merged in the master branch of the [https://github.com/libreswan/libreswan libreswan repository]. The commits made for the development of the project are available at the following url's:
The source code of Libreswan Opportunistic IPsec using LetsEncrypt is merged in the master branch of the [https://github.com/libreswan/libreswan libreswan repository]. The commits made for the development of the project are available at the following URLs:


* [https://github.com/libreswan/libreswan/commit/e9ecb49534310336e800c7a90fd03f5a86c2d699 letsencrypt: Added "ipsec letsencrypt" command]
* [https://github.com/libreswan/libreswan/commit/e9ecb49534310336e800c7a90fd03f5a86c2d699 letsencrypt: Added "ipsec letsencrypt" command]
Line 36: Line 35:
* [https://github.com/libreswan/libreswan/commit/ede549206262b8846f7d73d53fc2f87b2e7782ba testing: updated TESTLIST]
* [https://github.com/libreswan/libreswan/commit/ede549206262b8846f7d73d53fc2f87b2e7782ba testing: updated TESTLIST]


All the above commits are also available at this url [https://github.com/libreswan/libreswan/commits?author=Rishabh04-02 Libreswan Opportunistic IPsec using LetsEncrypt Commits]
All the above commits are also available at this URL [https://github.com/libreswan/libreswan/commits?author=Rishabh04-02 Libreswan Opportunistic IPsec using LetsEncrypt Commits]


The original developer of the program is [https://github.com/Rishabh04-02 Rishabh]. The project was developed under the expert guidance/mentorship of Paul Wouters & Tuomo Soini.  This project was sponsored by Google as a part of [https://summerofcode.withgoogle.com/ Google Summer of Code 2019] Program.  
The original developer of the program is [https://github.com/Rishabh04-02 Rishabh]. The project is developed under the expert guidance/mentorship of Paul Wouters & Tuomo Soini.  Google sponsored this project as a part of [https://summerofcode.withgoogle.com/ Google Summer of Code 2019] Program.  


== Future Scope ==
== Future Scope ==
Line 50: Line 49:
* Adding functionality to choose from multiple configurations for clients and servers.
* Adding functionality to choose from multiple configurations for clients and servers.
* Auto detecting whether the other host is server or client and choose from the available configurations accordingly.
* Auto detecting whether the other host is server or client and choose from the available configurations accordingly.
* Add functionality to fix the commonly found issues automatically. E.g. when the user has more than one configuration files in /etc/ipsec.d directory OR when there is no host ip in policies/private-*.
* Add functionality to fix the commonly found issues automatically. E.g., when the user has more than one configuration files in /etc/ipsec.d directory OR when there is no host IP in policies/private-*.


== License ==
== License ==


This project is Licensed under [https://github.com/libreswan/libreswan/blob/master/LICENSE GNU General Public License v2.0].
This project is Licensed under [https://github.com/libreswan/libreswan/blob/master/LICENSE GNU General Public License v2.0].

Latest revision as of 18:30, 23 August 2019

Introduction

Libreswan Opportunistic IPsec using LetsEncrypt is a project created during Google Summer of Code 2019. It adds a utility letsencrypt to the ipsec. The letsencrypt program allows using various available utilities required to establish and control an Opportunistic connection. The letsencrypt program has several features, and can be used by running a specified {command} with a specified [argument].

It is a program in libreswan, which integrates libreswan with Opportunistic Encryption utilities. The script provides various OE functionality e.g., initial OE setup, testing configuration/connection, generating and updating Let's Encrypt certificates. The details about the utilities and using them is available in the Documentation: Libreswan Opportunistic IPsec using LetsEncrypt . Also, the documentation includes the sample output for each {command} and [argument].

Implementation

Various functionalities of the project are listed below:

  • Can establish the secure OE (Opportunistic Encryption) connections between two hosts (client and server).
  • Checks for the success in establishing the OE connection.
  • Easy to install on the hosts (client and server).
  • Can test OE connections between two hosts.
  • Checks if certbot is installed (on the server).
  • Can generate Let's Encrypt certificates for the server using certbot.
  • Generates the certbot configuration for reusing the private key.
  • Enables automatic update of the generated certificates using crontabs, keeping the private key same.
  • Manual updating of keys also implemented.
  • Generates the #pkcs12 file.
  • Imports the generated certificates into NSS Database to be used for OE.
  • Downloads the LetsEncrypt CA and intermediate certificates.
  • Saves the default client/server configuration.
  • Displays OE connection status to the user.
  • Displays the certificates installed in NSS database.
  • Disables ipsec and deletes configuration files saved in /etc/ipsec.d.
  • Provides details about various available utilities, {commands} and [arguments].

Source code

The source code of Libreswan Opportunistic IPsec using LetsEncrypt is merged in the master branch of the libreswan repository. The commits made for the development of the project are available at the following URLs:

All the above commits are also available at this URL Libreswan Opportunistic IPsec using LetsEncrypt Commits

The original developer of the program is Rishabh. The project is developed under the expert guidance/mentorship of Paul Wouters & Tuomo Soini. Google sponsored this project as a part of Google Summer of Code 2019 Program.

Future Scope

Following are the future Scopes of the project:

  • NSS certificates reload needs to restart IPSec.
  • Option for testing connection for any custom server.
  • Enabling server to server communication.
  • Fixing the issue when 2 tunnels are up for the same connection, whenever the server/client restarts or crashes.
  • Adding functionality to choose from multiple configurations for clients and servers.
  • Auto detecting whether the other host is server or client and choose from the available configurations accordingly.
  • Add functionality to fix the commonly found issues automatically. E.g., when the user has more than one configuration files in /etc/ipsec.d directory OR when there is no host IP in policies/private-*.

License

This project is Licensed under GNU General Public License v2.0.