As I've mentioned before we're using label ipsec with SELinux MLS policy. On the clients I'm seeing:
within_range: The sl (<selinux context>) is not within range of (<selinux context>) security context verification failed (perhaps policy_label is not configured for this connection) which I think is related to the BAD_PROPOSAL_SYNTAX errors. I got the source rpm for the openswan version we're using and started looking for the code that generates these messages but I haven't found it yet do you know where the within_range check occurs? The level is within the range but the user/role/type are different. Ted On Mon, Jan 26, 2015 at 3:47 PM, Paul Wouters <[email protected]> wrote: > On Mon, 26 Jan 2015, Ted Toth wrote: > >> We're seeing a lot of BAD_PROPOSAL_SYNTAX messages: >> #801055: ignoring informational payload, type BAD_PROPOSAL_SYNTAX >> msgid=00000000 >> >> Should I be concerned about these? If I see these does it mean that >> SA's will take longer to establish? > > > It would be interesting to see more about what is bad about them. Do the > pluto logs say anymore more? > > Are the clients connecting swan clients or other clients? > > BAD_PROPOSAL_SYNTAX should be a rare event, not a common event. > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
