Skip to content

Commit 38b9a05

Browse files
Richard Hainespcmoore
Richard Haines
authored and
pcmoore
committed
network_support: Update LibreSwan configuration
Update ipsec.conf file that describes the labeled ipsec entries. Signed-off-by: Richard Haines <[email protected]> [PM: added a missing comment '#'] Signed-off-by: Paul Moore <[email protected]>
1 parent e67de66 commit 38b9a05

File tree

1 file changed

+43
-2
lines changed

1 file changed

+43
-2
lines changed

src/network_support.md

Lines changed: 43 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -452,11 +452,52 @@ Context type identifier has never been defined in any standard. Pluto is
452452
configurable and defaults to '*32001*', this is the IPSEC Security
453453
Association Attribute identifier reserved for private use. Racoon is
454454
hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)*
455-
file must be configured as follows:
455+
configuration file *secctx-attr-type* entry must be set as shown in the
456+
following example:
456457

457458
```
458459
config setup
459-
secctx-attr-type=10
460+
protostack=netkey
461+
plutodebug=all
462+
logfile=/var/log/pluto/pluto.log
463+
logappend=no
464+
# A "secctx-attr-type" MUST be present:
465+
secctx-attr-type=10
466+
# Labeled IPSEC only supports the following values:
467+
# 10 = ECN_TUNNEL - Used by racoon(8)
468+
# 32001 = Default - Reserved for private use (see RFC 2407)
469+
# These are the "IPSEC Security Association Attributes"
470+
471+
conn selinux_labeled_ipsec_test
472+
# ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2
473+
# There is a draft IKEV2 labeled ipsec document (July '20) at:
474+
# https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03
475+
ikev2=no
476+
auto=start
477+
rekey=no
478+
authby=secret # set in '/etc/ipsec.secrets'. See NOTE
479+
type=transport
480+
left=192.168.1.198
481+
right=192.168.1.148
482+
ike=aes256-sha2 # See NOTE
483+
phase2=esp
484+
phase2alg=aes256 # See NOTE
485+
# The 'policy-label' entry is used to determine whether SELinux will
486+
# allow or deny the request using the labels from:
487+
# connection policy label from the applicable SAD entry
488+
# connection flow label from the applicable SPD entry (this is taken
489+
# from the 'conn <name> policy-label' entry).
490+
# selinux_check_access(SAD, SPD, "association", "polmatch", NULL);
491+
policy-label=system_u:object_r:ipsec_spd_t:s0
492+
leftprotoport=tcp
493+
rightprotoport=tcp
494+
495+
# NOTE:
496+
# The authentication methods and encryption algorithms should be chosen
497+
# with care and within the constraints of those available for
498+
# interoperability.
499+
# Racoon is no longer actively supported and has a limited choice of
500+
# algorithms compared to LibreSwan.
460501
```
461502

462503
The Fedora version of racoon has added functionality to support

0 commit comments

Comments
 (0)