Thanks for the help. I am going to get another machine set up so that I am not using loopback any more. After tinkering with things a bit, I found that running the command: echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm gets things working. The other command seemed to disable loopback communication. On Thu, Apr 30, 2009 at 8:01 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >> I am working to get the labelled IPSec working, following Josh >> Brindle's blog post >> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >> I just want to get the client and server running on loopback, using a >> fully patched Fedora 10 machine. >> >> I have the following keyfile that I pass into setkey: >> ---------- >> spdflush; >> >> flush; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P in ipsec esp/transport//require; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P out ipsec esp/transport//require; >> ---------- >> >> I enter the following commands: >> >> --- Terminal 1 --- >> setenforce 0 >> setkey -f <keyfile> >> ./server >> >> --- Terminal 2 --- >> # ./client 127.0.0.1 >> getpeercon: Protocol not available >> Received: Hello, (null) from (null) >> >> --- Terminal 1 --- >> getsockopt: Protocol not available >> server: got connection from 127.0.0.1, (null) >> >> Not sure what I am missing. I have installed ipsec-tools and started >> /etc/init.d/racoon. >> >> Any help would be appreciated. > > IPSEC and loopback don't generally get along very well. Try: > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm > > Might want to also read through an old bug report on this issue, > https://bugzilla.redhat.com/show_bug.cgi?id=218386 > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
