Libreswan Opportunistic IPsec using LetsEncrypt: Difference between revisions

From Libreswan
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 25: Line 25:
* Displays OE connection status to the user.
* Displays OE connection status to the user.
* Displays the certificates installed in NSS database.
* Displays the certificates installed in NSS database.
* Disables ipsec and deletes configuration files saved in /etc/ipsec.d.
* Provides details about various available utilities, {commands} and [arguments].
* Provides details about various available utilities, {commands} and [arguments].



Revision as of 08:16, 23 August 2019

Introduction

Libreswan Opportunistic IPsec using LetsEncrypt is a project created during Google Summer of Code 2019. It adds a utility letsencrypt to the ipsec. letsencrypt invokes any of several utilities involved in controlling the Opportunistic Encryption system, running the specified {command} with the specified [argument] as if it had been invoked directly.

e.g. ipsec letsencrypt --help lists all the available commands.

It is a program in libreswan, which integrates libreswan with Opportunistic Encryption utilities. The script provides various OE functionality e.g. initial OE setup, testing configuration/connection, generating and updating Let's Encrypt certificates. The details about the utilities and using them can be found in the Documentation: Libreswan Opportunistic IPsec using LetsEncrypt . Also, the documentation includes the sample output for each {command} and [argument].

Implementation

Various functionalities of the project are listed below:

  • Can establish the secure OE (Opportunistic Encryption) connections between two hosts (client and server).
  • Checks for the success in establishing the OE connection.
  • Easy to install on the hosts (client and server).
  • Can test OE connections between two hosts.
  • Checks if certbot is installed (on the server).
  • Can generate Let's Encrypt certificates for the server using certbot.
  • Generates the certbot configuration for reusing the private key.
  • Enables automatic update of the generated certificates using cron tabs, keeping the private key same.
  • Manual updating of keys also implemented.
  • Generates the #pkcs12 file.
  • Imports the generated certificates into NSS Database to be used for OE.
  • Downloads the LetsEncrypt CA and intermediate certificates.
  • Saves the default client/server configuration.
  • Displays OE connection status to the user.
  • Displays the certificates installed in NSS database.
  • Disables ipsec and deletes configuration files saved in /etc/ipsec.d.
  • Provides details about various available utilities, {commands} and [arguments].

Source code

The source code of Libreswan Opportunistic IPsec using LetsEncrypt is merged in the master branch of the libreswan repository. The commits made for the development of the project are available at the following url's:

All the above commits are also available at this url Libreswan Opportunistic IPsec using LetsEncrypt Commits

The original developer of the program is Rishabh. The project was developed under the expert guidance/mentorship of Paul Wouters & Tuomo Soini. This project was sponsored by Google as a part of Google Summer of Code 2019 Program.

Future Scope

Following are the future Scopes of the project:

  • NSS certificates reload needs to restart IPSec.
  • Option for testing connection for any custom server.
  • Enabling server to server communication.
  • Fixing the issue when 2 tunnels are up for the same connection, whenever the server/client restarts or crashes.
  • Adding functionality to choose from multiple configurations for clients and servers.
  • Auto detecting whether the other host is server or client and choose from the available configurations accordingly.
  • Add functionality to fix the commonly found issues automatically. E.g. when the user has more than one configuration files in /etc/ipsec.d directory OR when there is no host ip in policies/private-*.

License

This project is Licensed under GNU General Public License v2.0.