On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >> I am working to get the labelled IPSec working, following Josh >> Brindle's blog post >> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >> I just want to get the client and server running on loopback, using a >> fully patched Fedora 10 machine. >> >> I have the following keyfile that I pass into setkey: >> ---------- >> spdflush; >> >> flush; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P in ipsec esp/transport//require; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P out ipsec esp/transport//require; >> ---------- >> >> I enter the following commands: >> >> --- Terminal 1 --- >> setenforce 0 >> setkey -f <keyfile> >> ./server >> >> --- Terminal 2 --- >> # ./client 127.0.0.1 >> getpeercon: Protocol not available >> Received: Hello, (null) from (null) >> >> --- Terminal 1 --- >> getsockopt: Protocol not available >> server: got connection from 127.0.0.1, (null) >> >> Not sure what I am missing. I have installed ipsec-tools and started >> /etc/init.d/racoon. >> >> Any help would be appreciated. > > IPSEC and loopback don't generally get along very well. Try: > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm > > Might want to also read through an old bug report on this issue, > https://bugzilla.redhat.com/show_bug.cgi?id=218386 > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > >From what I remember, I just used(ipsec-tools) /etc/ipsec.conf to deal with the key exchange, and handling of AH and ESP encapsulation(racoon is another approach) main area is setting up the keys so the two machines can exchange. google around to find an already configured ipsec.conf(saves you the energy of going crazy with a long line of numbers) this way you just need to set the ip's. At the moment I've been trying to get ekiga to work with ipsec(if I can get the dang thing to compiled right). -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
