<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi. Using libreswan, I was able to set up an unlabeled ipsec tunnel
    between two CentOS 7.3 hosts. <br>
    <br>
    #ipsec auto --up dtsd-tunnel<br>
    002 "dtsd-tunnel" #1: initiating Main Mode<br>
    104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer
    Detection]<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]<br>
    002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method
    RFC 3947 (NAT-Traversal)<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
    STATE_MAIN_I2<br>
    106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
    003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
    (NAT-Traversal) sender port 500: no NAT detected<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
    STATE_MAIN_I3<br>
    108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]<br>
    002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR:
    '198.9.7.198'<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
    STATE_MAIN_I4<br>
    004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
    {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}<br>
    002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
    {using isakmp#1 msgid:c9e4e68c proposal=defaults
    pfsgroup=OAKLEY_GROUP_MODP2048}<br>
    117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate<br>
    002 "dtsd-tunnel" #2: transition from state STATE_QUICK_I1 to state
    STATE_QUICK_I2<br>
    004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
    tunnel mode {ESP=>0x84e265d2 <0xf8a7ae74
    xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}<br>
    <br>
    However, if I add the following to my ipsec.conf...<br>
    <br>
            labeled-ipsec=yes<br>
           
policy-label=unconfined.user:msg_filter.role:msg_filter.ext_gateway.process:s0<br>
    <br>
    restart ipsec on both sides, add the new tunnel and try to bring it
    up, I get:<br>
    <br>
    #ipsec auto --up dtsd-tunnel<br>
    002 "dtsd-tunnel" #1: initiating Main Mode<br>
    104 "dtsd-tunnel" #1: STATE_MAIN_I1: initiate<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [Dead Peer
    Detection]<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [FRAGMENTATION]<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [RFC 3947]<br>
    002 "dtsd-tunnel" #1: enabling possible NAT-traversal with method
    RFC 3947 (NAT-Traversal)<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I1 to state
    STATE_MAIN_I2<br>
    106 "dtsd-tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
    003 "dtsd-tunnel" #1: NAT-Traversal: Result using RFC 3947
    (NAT-Traversal) sender port 500: no NAT detected<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I2 to state
    STATE_MAIN_I3<br>
    108 "dtsd-tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
    003 "dtsd-tunnel" #1: received Vendor ID payload [CAN-IKEv2]<br>
    002 "dtsd-tunnel" #1: Main mode peer ID is ID_IPV4_ADDR:
    '198.9.7.198'<br>
    002 "dtsd-tunnel" #1: transition from state STATE_MAIN_I3 to state
    STATE_MAIN_I4<br>
    004 "dtsd-tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
    {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}<br>
    002 "dtsd-tunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
    {using isakmp#1 msgid:aebe28a6 proposal=defaults
    pfsgroup=OAKLEY_GROUP_MODP2048}<br>
    117 "dtsd-tunnel" #2: STATE_QUICK_I1: initiate<br>
    003 "dtsd-tunnel" #2: ERROR: netlink XFRM_MSG_UPDPOLICY response for
    flow <a class="moz-txt-link-abbreviated" href="mailto:tun.10000@198.9.7.199">tun.10000@198.9.7.199</a> included errno 22: Invalid argument<br>
    002 "dtsd-tunnel" #2: raw_eroute() in setup_half_ipsec_sa() failed
    to add inbound<br>
    <br>
    I chose the policy-label from the example in the latest SELinux
    notebook (<a class="moz-txt-link-freetext" href="https://selinuxproject.org/page/Category:Notebook">https://selinuxproject.org/page/Category:Notebook</a>). Not
    sure if that's the issue, or if it's something else. Please advise.
    Thanks.<br>
    <br>
    Jeff Becker<cite class="_Rm"></cite><cite class="_Rm"></cite>
  </body>
</html>