Announcement

Collapse
No announcement yet.

Libreswan - ipsec how to add MOBIKE support?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    [LAPTOP] Libreswan - ipsec how to add MOBIKE support?

    Dear team-members,

    How do I get MOBIKE kernel support in kubuntu 20.04.1 LTS?

    I've got a vpn-ipsec setup successfully working using Libreswan.
    As soon I activate the MOBIKE in the config, the vpn will not start.
    It stat:
    MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE && CONFIG_NET_KEY_MIGRATE

    As there isn't much info on the net how to get this kernel support, perhaps one of the members here can help me out.

    Thank you in advance.
    iosis

    Info about mobike at libreswan-man: (source: https://libreswan.org/man/ipsec.conf.5.html)
    mobike

    Whether to allow MOBIKE (RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch.
    This is used on mobile devices that switch between wired, wireless or mobile data connections.
    Current values are no (the default) or yes, Only connection acting as modecfgclient will allow the initiator to migrate using mobike.
    Only connections acting as modecfgserver will allow clients to migrate.

    VTI and MOBIKE might not work well when used together.

    software and os version
    Linux Libreswan 3.29 (netkey) on 5.4.0-58-generic
    Distributor ID: Ubuntu
    Description: Ubuntu 20.04.1 LTS
    Release: 20.04
    Codename: focal


    ipsec-configuration
    config setup
    plutodebug=none
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

    conn xs2examplecom
    authby=rsasig
    ikev2=insist
    narrowing=yes
    auto=start
    dpddelay=5m
    dpdtimeout=30m
    dpdaction=clear

    # mobike=yes

    right=%defaultroute
    rightcert=#########
    rightid=%fromcert
    rightrsasigkey=%cert
    rightxauthclient=yes
    rightmodecfgclient=yes

    left=example.com
    leftid=%fromcert
    leftsubnet=###.###.###.###/##
    leftxauthserver=yes
    leftmodecfgserver=yes
    leftca=%same

    #2
    https://github.com/libreswan/libreswan/issues/221

    Seems you would need to compile a kernel with the two options shown in the error message enabled

    Comment


      #3
      Originally posted by claydoh View Post
      https://github.com/libreswan/libreswan/issues/221

      Seems you would need to compile a kernel with the two options shown in the error message enabled
      Thank you for this link claydoh

      MOBIKE is been supported a long time in many kernels but notably Debian / Ubuntu disables it.
      Does anybody know why MOBIKE is explicitly disabled?

      Comment


        #4
        May need to search/ask on a more ubuntu/kernel specific venue on this one.
        Only thing I can find right off the bat is this:
        https://ubuntu.com/security/CVE-2017-11600
        But that is for a different kernel, I would assume the issue would be fixed in later versions.

        Comment

        Working...
        X