Ted Toth txtoth at gmail.com
Tue Jan 27 02:22:53 EET 2015

As I've mentioned before we're using label ipsec with SELinux MLS
policy. On the clients I'm seeing:

within_range: The sl (<selinux context>) is not within range of
(<selinux context>)
security context verification failed (perhaps policy_label is not
configured for this connection)

which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the
source rpm for the openswan version we're using and started looking
for the code that generates these messages but I haven't found it yet
do you know where the within_range check occurs? The level is within
the range but the user/role/type are different.


On Mon, Jan 26, 2015 at 3:47 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 26 Jan 2015, Ted Toth wrote:
>> We're seeing a lot of BAD_PROPOSAL_SYNTAX messages:
>> #801055: ignoring informational payload, type BAD_PROPOSAL_SYNTAX
>> msgid=00000000
>> Should I be concerned about these? If I see these does it mean that
>> SA's will take longer to establish?
> It would be interesting to see more about what is bad about them. Do the
> pluto logs say anymore more?
> Are the clients connecting swan clients or other clients?
> BAD_PROPOSAL_SYNTAX should be a rare event, not a common event.
> Paul

More information about the Swan mailing list