[Swan] SELinux labeled ipsec
Jeff Becker
jeffrey.c.becker at nasa.gov
Tue Feb 7 23:24:19 UTC 2017
On 02/06/2017 06:24 PM, Paul Wouters wrote:
> On Sat, 4 Feb 2017, Jeff Becker wrote:
>
>>> Spoke too soon. I reverted to the unlabeled tunnel to test
>>> something, then
>>> restarted the labeled tunnel (successfully) . Once again I couldn't
>>> ping,
>>> but now tracepath didn't work either. When I run ipsec status, the
>>> tail of
>>> it shows:
>>>
>>> 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
>>> 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink
>>>
>>> Can this be fixed so I get my route back? Thanks.
>>>
>>> -jeff
>>
>> For some reason, the connection comes up after waiting a while. I
>> guess that's the time to acquire netlink? Thanks.
>
> It should not take a while. It is all instant. You might want to look at
> the logs to see what happened? Look for "pluto" logs in /var/log/secure.
Could this be the problem?
#grep errno /var/log/secure
Feb 7 23:20:15 dtn1 pluto[4320]: "dtsd-tunnel" #1: ERROR: netlink
response for Del SA esp.71664063 at 198.9.7.198 included errno 3: No such
process
Thanks.
-jeff
>
> Paul
More information about the Swan
mailing list