<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi. Using libreswan, I was able to set up an unlabeled ipsec tunnel
between two CentOS 7.3 hosts. <br>
<br>
#ipsec auto --up dtsd-tunnel<br>
002 "dtsd-tunnel" #1: initiating Main Mode<br>
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer
Detection]<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]<br>
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method
RFC 3947 (NAT-Traversal)<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<br>
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<br>
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]<br>
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR:
'198.9.7.198'<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4<br>
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}<br>
002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:c9e4e68c proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<br>
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate<br>
002 "dtsd-tunnel" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<br>
004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0x84e265d2 <0xf8a7ae74
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}<br>
<br>
However, if I add the following to my ipsec.conf...<br>
<br>
labeled-ipsec=yes<br>
policy-label=unconfined.user:msg_filter.role:msg_filter.ext_gateway.process:s0<br>
<br>
restart ipsec on both sides, add the new tunnel and try to bring it
up, I get:<br>
<br>
#ipsec auto --up dtsd-tunnel<br>
002 "dtsd-tunnel" #1: initiating Main Mode<br>
104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer
Detection]<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]<br>
002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method
RFC 3947 (NAT-Traversal)<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<br>
106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<br>
108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]<br>
002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR:
'198.9.7.198'<br>
002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4<br>
004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}<br>
002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:aebe28a6 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}<br>
117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate<br>
003 "dtsd-tunnel" #2: ERROR: netlink XFRM_MSG_UPDPOLICY response for
flow <a class="moz-txt-link-abbreviated" href="mailto:tun.10000@198.9.7.199">tun.10000@198.9.7.199</a> included errno 22: Invalid argument<br>
002 "dtsd-tunnel" #2: raw_eroute() in setup_half_ipsec_sa() failed
to add inbound<br>
<br>
I chose the policy-label from the example in the latest SELinux
notebook (<a class="moz-txt-link-freetext" href="https://selinuxproject.org/page/Category:Notebook">https://selinuxproject.org/page/Category:Notebook</a>). Not
sure if that's the issue, or if it's something else. Please advise.
Thanks.<br>
<br>
Jeff Becker<cite class="_Rm"></cite><cite class="_Rm"></cite>
</body>
</html>