[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Thu Feb 2 21:36:51 UTC 2017
Hi. Using libreswan, I was able to set up an unlabeled ipsec tunnel
between two CentOS 7.3 hosts.
#ipsec auto --up dtsd-tunnel
002 "dtsd-tunnel" #1: initiating Main Mode
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method RFC
3947 (NAT-Traversal)
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '198.9.7.198'
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG
cipher=aes_256 integ=sha group=MODP2048}
002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:c9e4e68c proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
002 "dtsd-tunnel" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0x84e265d2 <0xf8a7ae74 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=passive}
However, if I add the following to my ipsec.conf...
labeled-ipsec=yes
policy-label=unconfined.user:msg_filter.role:msg_filter.ext_gateway.process:s0
restart ipsec on both sides, add the new tunnel and try to bring it up,
I get:
#ipsec auto --up dtsd-tunnel
002 "dtsd-tunnel" #1: initiating Main Mode
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method RFC
3947 (NAT-Traversal)
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '198.9.7.198'
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG
cipher=aes_256 integ=sha group=MODP2048}
002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:aebe28a6 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate
003 "dtsd-tunnel" #2: ERROR: netlink XFRM_MSG_UPDPOLICY response for
flow tun.10000 at 198.9.7.199 included errno 22: Invalid argument
002 "dtsd-tunnel" #2: raw_eroute() in setup_half_ipsec_sa() failed to
add inbound
I chose the policy-label from the example in the latest SELinux notebook
(https://selinuxproject.org/page/Category:Notebook). Not sure if that's
the issue, or if it's something else. Please advise. Thanks.
Jeff Becker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170202/dbbe19f0/attachment.html>
More information about the Swan
mailing list