[Swan] labeled_ipsec RHEL6 <-> RHEL7 problem

Fri Sep 26 17:05:23 EEST 2014

I'm trying to setup a RHEL6 and RHEL7 box to talk labeled ipsec but
it's not working completely. Here's my configuration on the RHEL6 box:
conn dot75
     authby=secret
     rekey=no
     type=transport
     keylife=3600s
     left=%defaultroute
     right=192.168.25.75
     auto=start
     phase2=esp
     phase2alg=aes-sha1
     labeled_ipsec=yes
     policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
     leftprotoport=tcp
     rightprotoport=tcp

The RHEL7 box uses the same except 'right' is the ip of the RHEL6 box.

When I try and ssh from RHEL6 to RHEL7 I get a connection timeout.
sshing from RHEL7 to RHEL6 works. If I don't use labeled_ipsec
everything works as expected. RHEL6 has libreswan-3.8-1.el6.x86_64 and
RHEL7 has
libreswan-3.8-5.el7.x86_64. Any ideas on how to fix this problem?

Ted