I'm currently working to create a testbed in VirtualBox for two VMs with an isolated opportunistic IPSec network with LibreSwan. All services are coming up fine, but network traffic between the two VMs doesn't seem to actually be encrypted. If I should post this in another Exchange website, please let me know!
I'm following instructions as listed on the libreswan website for opportunistic encryption:
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec#Authentication
Here's my relevant configuration:
Vagrantfile:
Vagrant.configure("2") do |config|
# Common configuration
config.vm.box = "centos/7"
# First machine in IPSec network, named "bast"
config.vm.define "bast" do |bast|
bast.vm.hostname = "bast"
bast.vm.network "private_network", ip: "192.168.50.2"
bast.vm.provider "virtualbox" do |v|
v.name = "bast"
end
end
# Second machine in IPSec network, named "kvothe"
config.vm.define "kvothe" do |kvothe|
kvothe.vm.hostname = "kvothe"
kvothe.vm.network "private_network", ip: "192.168.50.3"
kvothe.vm.provider "virtualbox" do |v|
v.name = "kvothe"
end
end
end
...and on each machine:
ipsec.conf
config setup
protostack=netkey
#plutodebug="all"
logfile=/var/log/pluto.log
include /etc/ipsec.d/*.conf
/etc/ipsec.d/oe-certificate.conf
conn private
# IPsec mandatory
rightrsasigkey=%cert
rightauth=rsasig
right=%opportunisticgroup
rightca=%same
left=%defaultroute
leftauth=rsasig
leftcert=myhostname
leftid=%fromcert
narrowing=yes
type=tunnel
ikev2=insist
auto=ondemand
# tune remaining options to taste - fail fast to prevent packet loss to the app
negotiationshunt=hold
failureshunt=drop
# 0 means infinite tries
keyingtries=0
retransmit-timeout=3s
/etc/ipsec.d/policies/private
192.168.50.0/24
I've also verified that /etc/ipsec.d/policies/{private-or-clear,clear,block,clear-or-private are all blank, and that there are no other *.conf files in /etc/ipsec.d/ other than oe-certificate.conf.
When I execute ping -I eth1 192.168.50.3 (the private VirtualBox subnet I'm utilizing runs on eth1 inside the VM) from 192.168.50.2, there's no output from ipsec whack --trafficstatus, and the output of ipsec whack --shuntstatus is:
000 Bare Shunt list:
000
Let me know if having the output of /var/log/pluto.log and/or ipsec status would help - everything seemed clean in those files.
My best guess so far is that there's something funky with the NAT-ing of the VirtualBox network, and that libreswan isn't picking up that the connection is supposed to be encrypted.
I don't have iptables, firewalld or SELinux enabled.
Thanks in advance!
