[Swan] BAD_PROPOSAL_SYNTAX errors

Paul Wouters paul at nohats.ca
Tue Jan 27 03:52:14 EET 2015


On Mon, 26 Jan 2015, Ted Toth wrote:

> As I've mentioned before we're using label ipsec with SELinux MLS
> policy. On the clients I'm seeing:
>
> within_range: The sl (<selinux context>) is not within range of
> (<selinux context>)
> security context verification failed (perhaps policy_label is not
> configured for this connection)
>
> which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the
> source rpm for the openswan version we're using and started looking
> for the code that generates these messages but I haven't found it yet
> do you know where the within_range check occurs? The level is within
> the range but the user/role/type are different.

That's very possible. All the BAD_PROPOSAL_SYNTAX returns stem from
ikev1_spdb_struct.c (formerly spdb_v1_struct.c) problems. One of
those is reading the oakley trans attributes which I believe is
where the policy label is transfered.

Paul


More information about the Swan mailing list