On Thu, Apr 30, 2009 at 8:39 PM, Mark Webb <elihusmails@xxxxxxxxx> wrote: > racoon comes with ipsec-tools, and there is not much documentation to > go on. Still working through it though.. > > > On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@xxxxxxxxx> wrote: >> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >>>> I am working to get the labelled IPSec working, following Josh >>>> Brindle's blog post >>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >>>> I just want to get the client and server running on loopback, using a >>>> fully patched Fedora 10 machine. >>>> >>>> I have the following keyfile that I pass into setkey: >>>> ---------- >>>> spdflush; >>>> >>>> flush; >>>> >>>> spdadd 127.0.0.1 127.0.0.1 any >>>> -ctx 1 1 "system_u:object_r:default_t:s0" >>>> -P in ipsec esp/transport//require; >>>> >>>> spdadd 127.0.0.1 127.0.0.1 any >>>> -ctx 1 1 "system_u:object_r:default_t:s0" >>>> -P out ipsec esp/transport//require; >>>> ---------- >>>> >>>> I enter the following commands: >>>> >>>> --- Terminal 1 --- >>>> setenforce 0 >>>> setkey -f <keyfile> >>>> ./server >>>> >>>> --- Terminal 2 --- >>>> # ./client 127.0.0.1 >>>> getpeercon: Protocol not available >>>> Received: Hello, (null) from (null) >>>> >>>> --- Terminal 1 --- >>>> getsockopt: Protocol not available >>>> server: got connection from 127.0.0.1, (null) >>>> >>>> Not sure what I am missing. I have installed ipsec-tools and started >>>> /etc/init.d/racoon. >>>> >>>> Any help would be appreciated. >>> >>> IPSEC and loopback don't generally get along very well. Try: >>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy >>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm >>> >>> Might want to also read through an old bug report on this issue, >>> https://bugzilla.redhat.com/show_bug.cgi?id=218386 >>> >>> -- >>> Stephen Smalley >>> National Security Agency >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >>> the words "unsubscribe selinux" without quotes as the message. >>> >> >> From what I remember, I just used(ipsec-tools) >> /etc/ipsec.conf to deal with the >> key exchange, and handling of >> AH and ESP encapsulation(racoon is another approach) >> >> main area is setting up the keys so the two >> machines can exchange. >> google around to find an already configured >> ipsec.conf(saves you the energy of going crazy with >> a long line of numbers) this way you just need to set >> the ip's. >> >> At the moment I've been trying to get ekiga to >> work with ipsec(if I can get the dang thing to compiled >> right). >> >> >> -- >> Justin P. Mattock >> > yep, but I think it provides other ways for key exchanges, here is what I am using: http://www.linuxfromscratch.org/hints/downloads/files/ipsec.txt I used this configuration about a year ago, worked like a charm!! -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
