Libreswan Opportunistic IPsec using LetsEncrypt

From Libreswan
Revision as of 06:21, 14 August 2019 by Rishabh Chaudhary (talk | contribs) (future scope added)
Jump to navigation Jump to search

Introduction

Libreswan Opportunistic IPsec using LetsEncrypt is a project created during Google Summer of Code 2019. It adds a utility letsencrypt to the ipsec. letsencrypt invokes any of several utilities involved in controlling the Opportunistic Encryption system, running the specified {command} with the specified [argument] as if it had been invoked directly.

e.g. ipsec letsencrypt -h lists the available commands.

It is a program in libreswan, which integrates libreswan with Opportunistic Encryption utilities. The script provides various OE functionality e.g. initial OE setup, testing configuration/connection, generating and updating Let's Encrypt certificates. The details about the utilities and using them can be found in the Documentation: Libreswan Opportunistic IPsec using LetsEncrypt . Also, the documentation includes the sample output for each {command} and [argument].

Implementation

Various functionalities of the project are listed below:

  • Can establish the secure OE (Opportunistic Encryption) connections between two hosts (client and server).
  • Checks for the success in establishing the OE connection.
  • Easy to install on the hosts (client and server).
  • Can test OE connections between two hosts.
  • Checks if certbot is installed (on the server).
  • Can generate Let's Encrypt certificates for the server using certbot.
  • Generates the certbot configuration for reusing the private key.
  • Enables automatic update of the generated certificates using cron tabs, keeping the private key same.
  • Manual updating of keys also implemented.
  • Generates the #pkcs12 file.
  • Imports the generated certificates into NSS Database to be used for OE.
  • Downloads the LetsEncrypt CA and intermediate certificates.
  • Saves the default client/server configuration.
  • Displays OE connection status to the user.
  • Displays the certificates installed in NSS database.
  • Provides details about various available utilities, {commands} and [arguments].

Source code

The source code of Libreswan Opportunistic IPsec using LetsEncrypt is available at Github:Libreswan-Opportunistic-IPsec. The original developer of the program is Rishabh. The project was developed under the expert guidance/mentorship of Paul Wouters & Tuomo Soini. This project was sponsored by Google as a part of Google Summer of Code 2019 Program.

Future Scope

Following are the future Scopes of the project:

  • NSS certificates reload needs to restart IPSec.
  • Option for testing connection for any custom server.
  • Enabling server to server communication.
  • Fixing the issue when 2 tunnels are up for the same connection, whenever the server/client restarts or crashes.
  • Adding functionality to choose from multiple configurations for clients and servers.
  • Auto detecting whether the other host is server or client and choose from the available configurations accordingly.
  • Add functionality to fix the commonly found issues automatically. E.g. when the user has more than one configuration files in /etc/ipsec.d directory OR when there is no host ip in policies/private-*.

License

This project is Licensed under GNU General Public License v2.0.

Retrieved from "https://libreswan.org/wiki/index.php?title=Libreswan_Opportunistic_IPsec_using_LetsEncrypt&oldid=21703"