From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: Labeled IPSec trying to match policy for peer label?
Date: Sat, 6 Jul 2013 08:39:52 +0200 [thread overview]
Message-ID: <20130706063952.GA29221@siphos.be> (raw)
In-Reply-To: <2894544.bL1dEvHUlK@sifl>
On Fri, Jul 05, 2013 at 04:50:41PM -0400, Paul Moore wrote:
> > spdadd 10.1.2.0/24 10.1.3.0/24 any -ctx 1 1
> > "system_u:object_r:ipsec_spd_t:s0" -P out ipsec
> > esp/tunnel/192.168.100.152-192.168.100.153/require;
> >
> > spdadd 10.1.3.0/24 10.1.2.0/24 any -ctx 1 1
> > "system_u:object_r:ipsec_spd_t:s0" -P in ipsec
> > esp/tunnel/192.168.100.153-192.168.100.152/require;
[...]
> Is the server side running the same SELinux policy as the client? Does the
> server have a SPD entry that is labeled, e.g. '-ctx 1 1
> "system_u:object_r:ipsec_spd_t:s0"'?
Yes, both sides have the same setkey instructions (only the in/out is
switched) and are running the same SELinux policy & type. The racoon
configurations are also the same (of course each one with the right
addresses in the remote { ... } and sainfo { ... } definitions.
I am assuming nothing needs to be changed on racoon when running regular
IPSec or labeled IPSec? In any case, here is one of the configs:
path pre_shared_key "/etc/racoon/psk.txt";
remote 192.168.100.153
{
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.1.2.0/24 any address 10.1.3.0/24 any
{
pfs_group modp768;
encryption_algorithm 3des, blowfish 448, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
I am using ipsec-tools 0.8.0 build with --enable-security-context. There are
a few additional patches applied by the distribution ("sysctl", "def-psk"
and "include-vendoridh")
I'll be trying with ipsec-tools 0.8.1 later today.
Wkr,
Sven Vermeulen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-07-06 7:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 18:39 Labeled IPSec trying to match policy for peer label? Sven Vermeulen
2013-07-05 20:50 ` Paul Moore
2013-07-06 6:39 ` Sven Vermeulen [this message]
2013-07-06 12:41 ` Sven Vermeulen
2013-07-06 15:40 ` Chad Hanson
2013-07-06 19:21 ` Sven Vermeulen
2013-07-06 20:53 ` Joe Nall
2013-07-07 8:33 ` Labeled IPSec trying to match policy for peer label? (solved) Sven Vermeulen
2013-07-07 14:53 ` Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130706063952.GA29221@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.