Re: [Swan] SELinux labeled ipsec
On Tue, 7 Feb 2017, Jeff Becker wrote: It should not take a while. It is all instant. You might want to look at the logs to see what happened? Look for "pluto" logs in /var/log/secure. Could this be the problem? #grep errno /var/log/secure Feb 7 23:20:15 dtn1 pluto[4320]: "dtsd-tunnel" #1: ERROR: netlink response for Del SA esp.71664063@198.9.7.198 included errno 3: No such process That shows an IPsec SA that it expected to be there to be deleted was not there. That is odd, and I would expect to see an earlier message about a problem? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] SELinux labeled ipsec
On 02/06/2017 06:24 PM, Paul Wouters wrote: On Sat, 4 Feb 2017, Jeff Becker wrote: Spoke too soon. I reverted to the unlabeled tunnel to test something, then restarted the labeled tunnel (successfully) . Once again I couldn't ping, but now tracepath didn't work either. When I run ipsec status, the tail of it shows: 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink 000 198.9.7.199/32:8 -1-> 198.9.7.198/32:0 => %hold 0 %acquire-netlink Can this be fixed so I get my route back? Thanks. -jeff For some reason, the connection comes up after waiting a while. I guess that's the time to acquire netlink? Thanks. It should not take a while. It is all instant. You might want to look at the logs to see what happened? Look for "pluto" logs in /var/log/secure. Could this be the problem? #grep errno /var/log/secure Feb 7 23:20:15 dtn1 pluto[4320]: "dtsd-tunnel" #1: ERROR: netlink response for Del SA esp.71664063@198.9.7.198 included errno 3: No such process Thanks. -jeff Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 82dbff05d4e08b1458ec682b1af49d3675c7c20c Author: Andrew CagneyDate: Tue Feb 7 16:16:33 2017 -0500 cavp: declare header structs extern so there is no confusion over which .c file has the definition ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit c3f46766e724951527fd9ae82c0fb22eb43d7236 Author: Andrew CagneyDate: Tue Feb 7 14:28:26 2017 -0500 testing: add deleting test keys to 'make kvm-purge' ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan-dev] simplifying default IKEv1 IKE algorithms
>> For the responder, when no ike=, it defaults to accepting almost >> anything. That includes MD5, serpent, and twofish (but not cast, >> which is ESP only). > > > It should not include these three. Md5 is too weak and all md5 users > do sha1. And serpent/twofish are weird ducks and should not be used > unless explicitly configured. Ok. That's a separate change; it will need some thought and libreswan in FIPS mode is already behaves correctly (I'd like to avoid the obvious hack of adding a hardwired switches to filter these out; perhaps a per-algorithm should_not flag similar to FIPS-compliant). Andrew ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan] Has this bug been reported yet?
Just installed a new server with ubuntu 16.04 on board and a fresh installation of libreswan 3.19 compiled as a deb package. Tried to initialise the nss database with ipsec initnss and got the error: /usr/sbin/ipsec: 319: /usr/sbin/ipsec: =0: not found /usr/sbin/ipsec: 320: [: -ne: unexpected operator Looks like a simple script error. Line 319 is ${rc}=$? and changing it to let ${rc}=$? seems to fix the problem. Regards Tony Whyman MWA ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/master
New commits: commit c80d64fb2acdeee6fdac21a6d9cf850ff8c1faa9 Author: Andrew CagneyDate: Tue Feb 7 11:02:44 2017 -0500 testing: update algo-pluto-12-aes-default results for 256-bit keys Follow up to eb707e2fef44d04fcd067d8568dcfb18602b3579 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/master
New commits: commit 2d046b1fd325455a0bf67625a13085513b847063 Author: Andrew CagneyDate: Wed Jan 4 12:11:01 2017 -0500 testing: prune some redundant (and not documented by 'make kvm-help') kvm targets ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit