On Wednesday 13 February 2008 3:37:26 pm Clarkson, Mike R (US SSA)
wrote:
> Thanks for your response. I do need the full TE information, so I
> tried to set up labeled IPSec over localhost/loopback. Have you done
> this before?
Yes, but I can't say I recommend it. It's painful but if you need the
full SELinux context it's your only option at present.
> I'm an IPSec novice. I'm trying to set up IPSec in transport mode,
> using raccoon to set up the SAs, but I don't seem to be getting SAs.
> I'm not sure why.
The first thing that jumps to mind is that XFRM (the Linux IPsec
implementation) is probably disabled on the loopback device (the
default setting). Run the two following commands to enable XFRM over
loopback:
# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
> Here is my raccoon.conf file and
> the file that I "setkey -f":
>
> raccoon.conf:
> path pre_shared_key "/root/ipsec/psk.txt";
> remote anonymous {
> exchange_mode main;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group modp1024;
> }
> }
> sainfo address 25.25.25.25 any address 127.0.0.1 any {
> pfs_group modp768;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
> sainfo address 127.0.0.1 any address 25.25.25.25 any {
> pfs_group modp768;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
Nothing looks wrong, but it's been a while since I have configured used
IPsec so I'm probably not the best syntax checker. However, I'm
attached a sample racoon.conf file that is part of the audit-test
suite* that was used for the HP LSPP evaluation which made use of IPsec
over loopback.
* http://sourceforge.net/projects/audit-test
> Setkey commands:
> spdflush;
> flush;
> spdadd 127.0.0.1 25.25.25.25 ip4
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P in ipsec esp/transport//require;
> spdadd 25.25.25.25 127.0.0.1 ip4
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P out ipsec esp/transport//require;
>
> Do you see errors?
I'm not sure your spdadd lines are correct, as an example here are two
lines that I've used in the past for a TCP server running
on %REMOTE_IPV4% on port 5300.
spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] tcp
-ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023"
-P out ipsec ah/transport//require;
spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% tcp
-ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023"
-P in ipsec ah/transport//require;
The main difference is the "tcp" instead of "ip4", but that doesn't mean
what you have it wrong. When in doubt check the audit log for AVC
denials and the racoon debugging output. If you run across something
interesting send me some mail to the list and we can probably help you
figure it out.
--
paul moore
linux security @ hp
#
# This file contains the IKE configuration for the IPsec subsystem
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
######################################################################
# LSPP Test Configuration
######################################################################
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 hours;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
