On 02/03/2017 04:57 PM, Paul Wouters wrote:
On Fri, 3 Feb 2017, Jeff Becker wrote:
Our test configuration uses:
policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
I got the above (actually
policy-label=system_u:object_r:ipsec_spd_t:s0) to work by fixing an
AVC denial. Now when I bring up the tunnel I see:
004 "dtsd-tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xc01ab79f <0x4f6e6b26 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=passive}
I don't see anything above that indicates that labeled ipsec is being
used,
Yeah, we don't display every single property but I'll look at adding a
"labeled" prefix, so it says "IPsec SA established labeled tunnel mode"
You should see the label in "ip xfrm pol".
but maybe that's OK. Anyhow, after setting this up, I can't seem to
ping the other side of the tunnel (I was able to ping in the case
without labeled ipsec). Any suggestions are appreciated. Thanks.
My guess would be that your ping is either not covered by the tunnel, or
you are using ICMP packets with the wrong label?
I fixed another AVC denial disallowing polmatch for scontext
unlabeled_t, and tcontext ipsec_spd_t, I tried the ping again, and it
still didn't work. Then I tried running tracepath, which did work. After
that, the ping started working. Thanks.
-jeff
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
