On Sun, 2020-09-06 at 21:11 +0300, Topi Miettinen wrote: > On 6.9.2020 18.27, Richard Haines wrote: > > Update ipsec.conf file that describes the labeled ipsec entries. > > > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > > --- > > This was used to test the updated LibreSwan that now supports > > selinux_check_access(3) from https://github.com/libreswan/libreswan > > > > src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++- > > - > > 1 file changed, 36 insertions(+), 2 deletions(-) > > > > diff --git a/src/network_support.md b/src/network_support.md > > index 36af1f4..4a3fd38 100644 > > --- a/src/network_support.md > > +++ b/src/network_support.md > > @@ -452,11 +452,45 @@ Context type identifier has never been > > defined in any standard. Pluto is > > configurable and defaults to '*32001*', this is the IPSEC > > Security > > Association Attribute identifier reserved for private use. Racoon > > is > > hard coded to a value of '*10*', therefore the pluto > > ***ipsec.conf**(5)* > > -file must be configured as follows: > > +configuration file *secctx-attr-type* entry must be set as shown > > in the > > +following example: > > > > ``` > > config setup > > - secctx-attr-type=10 > > + protostack=netkey > > + plutodebug=all > > + logfile=/var/log/pluto/pluto.log > > + logappend=no > > + # A "secctx-attr-type" MUST be present: > > + secctx-attr-type=10 > > + # Labeled IPSEC only supports the following values: > > + # 10 = ECN_TUNNEL - Used by racoon(8) > > + # 32001 = Default - Reserved for private use (see RFC 2407) > > + # These are the "IPSEC Security Association Attributes" > > + > > +conn selinux_labeled_ipsec_test > > + # ikev2 MUST be "no" as labeled ipsec is not yet supported by > > IKEV2 > > + # There is a draft IKEV2 labeled ipsec document (July '20) at: > > + # > > https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 > > + ikev2=no > > + auto=start > > + rekey=no > > + authby=secret # set in '/etc/ipsec.secrets' > > + type=transport > > + left=192.168.1.198 > > + right=192.168.1.148 > > + ike=3des-sha1 > > Since this configuration may set an example for less experienced > users > who may just copy this without much understanding, would it be > possible > to use a more modern crypto algorithm? Also libreswan documentation > tells that sha1 will be obsoleted in near future. Would something > like > "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup. > > https://libreswan.org/man/ipsec.conf.5.html > > > + phase2=esp > > + phase2alg=3des-sha1 > > How about "phase2alg=aes_gcm256"? Thanks for the feedback. It appears that racoon does not support aes gcm types so I've changed them to aes256 and added some comments. This config does work LibreSwan - Racoon. Is this ok ??? ... ike=aes256-sha2 # See NOTE phase2=esp phase2alg=aes256 # See NOTE ... # NOTE: # The encryption algorithms should be chosen with care and within the # constraints of those available for interoperability. # Racoon is no longer actively supported and has a limited choice of # algorithms compared to LibreSwan. > > -Topi
