[Swan] labeled_ipsec RHEL6 <-> RHEL7 problem

Ted Toth txtoth at gmail.com
Fri Sep 26 18:22:29 EEST 2014 

Output of ipsec auto status on RHEL6. Shouldn't I see an established SA?

000 Connection list:
000
000 "dot75": 192.168.25.75<192.168.25.75>:6/0...%any:6/0; unrouted;
eroute owner: #0
000 "dot75":     unoriented; my_ip=unset; their_ip=unset
000 "dot75":   xauth info: us:none, them:none,  my_xauthuser=[any];
their_xauthuser=[any]
000 "dot75":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "dot75":   labeled_ipsec:yes, loopback:no;
000 "dot75":    policy_label:system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023;
000 "dot75":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0;
000 "dot75":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "dot75":   policy:
PSK+ENCRYPT+PFS+DONT_REKEY+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "dot75":   conn_prio: 32,32; interface: ; metric: 0; mtu: unset;
sa_prio:auto;
000 "dot75":   dpd: action:hold; delay:0; timeout:0; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "dot75":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "dot75":   ESP algorithms wanted: AES(12)_000-SHA1(2)_000
000 "dot75":   ESP algorithms loaded: AES(12)_000-SHA1(2)_000
000
000 Total IPsec connections: loaded 1, active 0
000
000 State list:
000
000 Shunt list:
000

On Fri, Sep 26, 2014 at 10:03 AM, Ted Toth <txtoth at gmail.com> wrote:
> Well now I don't think it's working. I wrote a simple socket
> server/client and in the client I call getpeercon which fails with:
> Traceback (most recent call last):
>   File "simpleclient.py", line 6, in <module>
>     (rc, con) = selinux.getpeercon(clientsocket.fileno())
> OSError: [Errno 92] Protocol not available
>
> I noticed in the output of 'ipsec auto status' a line
> 'SELinux=disabled' what does this mean?
>
> Ted
>
> On Fri, Sep 26, 2014 at 9:30 AM, Ted Toth <txtoth at gmail.com> wrote:
>> Updated to libreswan-3.10-1.el6.x86_64 and it started working (I
>> think) as now I can ssh ...
>>
>> On Fri, Sep 26, 2014 at 9:05 AM, Ted Toth <txtoth at gmail.com> wrote:
>>> I'm trying to setup a RHEL6 and RHEL7 box to talk labeled ipsec but
>>> it's not working completely. Here's my configuration on the RHEL6 box:
>>> conn dot75
>>>      authby=secret
>>>      rekey=no
>>>      type=transport
>>>      keylife=3600s
>>>      left=%defaultroute
>>>      right=192.168.25.75
>>>      auto=start
>>>      phase2=esp
>>>      phase2alg=aes-sha1
>>>      labeled_ipsec=yes
>>>      policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>>>      leftprotoport=tcp
>>>      rightprotoport=tcp
>>>
>>> The RHEL7 box uses the same except 'right' is the ip of the RHEL6 box.
>>>
>>> When I try and ssh from RHEL6 to RHEL7 I get a connection timeout.
>>> sshing from RHEL7 to RHEL6 works. If I don't use labeled_ipsec
>>> everything works as expected. RHEL6 has libreswan-3.8-1.el6.x86_64 and
>>> RHEL7 has
>>> libreswan-3.8-5.el7.x86_64. Any ideas on how to fix this problem?
>>>
>>> Ted

More information about the Swan mailing list