[Swan] labeled_ipsec RHEL6 <-> RHEL7 problem
Ted Toth
txtoth at gmail.com
Fri Sep 26 18:22:29 EEST 2014
Output of ipsec auto status on RHEL6. Shouldn't I see an established SA?
000 Connection list:
000
000 "dot75": 192.168.25.75<192.168.25.75>:6/0...%any:6/0; unrouted;
eroute owner: #0
000 "dot75": unoriented; my_ip=unset; their_ip=unset
000 "dot75": xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "dot75": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "dot75": labeled_ipsec:yes, loopback:no;
000 "dot75": policy_label:system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023;
000 "dot75": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0;
000 "dot75": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "dot75": policy:
PSK+ENCRYPT+PFS+DONT_REKEY+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "dot75": conn_prio: 32,32; interface: ; metric: 0; mtu: unset;
sa_prio:auto;
000 "dot75": dpd: action:hold; delay:0; timeout:0; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "dot75": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "dot75": ESP algorithms wanted: AES(12)_000-SHA1(2)_000
000 "dot75": ESP algorithms loaded: AES(12)_000-SHA1(2)_000
000
000 Total IPsec connections: loaded 1, active 0
000
000 State list:
000
000 Shunt list:
000
On Fri, Sep 26, 2014 at 10:03 AM, Ted Toth <txtoth at gmail.com> wrote:
> Well now I don't think it's working. I wrote a simple socket
> server/client and in the client I call getpeercon which fails with:
> Traceback (most recent call last):
> File "simpleclient.py", line 6, in <module>
> (rc, con) = selinux.getpeercon(clientsocket.fileno())
> OSError: [Errno 92] Protocol not available
>
> I noticed in the output of 'ipsec auto status' a line
> 'SELinux=disabled' what does this mean?
>
> Ted
>
> On Fri, Sep 26, 2014 at 9:30 AM, Ted Toth <txtoth at gmail.com> wrote:
>> Updated to libreswan-3.10-1.el6.x86_64 and it started working (I
>> think) as now I can ssh ...
>>
>> On Fri, Sep 26, 2014 at 9:05 AM, Ted Toth <txtoth at gmail.com> wrote:
>>> I'm trying to setup a RHEL6 and RHEL7 box to talk labeled ipsec but
>>> it's not working completely. Here's my configuration on the RHEL6 box:
>>> conn dot75
>>> authby=secret
>>> rekey=no
>>> type=transport
>>> keylife=3600s
>>> left=%defaultroute
>>> right=192.168.25.75
>>> auto=start
>>> phase2=esp
>>> phase2alg=aes-sha1
>>> labeled_ipsec=yes
>>> policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
>>> leftprotoport=tcp
>>> rightprotoport=tcp
>>>
>>> The RHEL7 box uses the same except 'right' is the ip of the RHEL6 box.
>>>
>>> When I try and ssh from RHEL6 to RHEL7 I get a connection timeout.
>>> sshing from RHEL7 to RHEL6 works. If I don't use labeled_ipsec
>>> everything works as expected. RHEL6 has libreswan-3.8-1.el6.x86_64 and
>>> RHEL7 has
>>> libreswan-3.8-5.el7.x86_64. Any ideas on how to fix this problem?
>>>
>>> Ted
More information about the Swan
mailing list