On Tue, Sep 8, 2020 at 3:40 AM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > Update ipsec.conf file that describes the labeled ipsec entries. > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > V2 Change: Update encryption algorithms and add note as suggested by > Topi Miettinen. > > src/network_support.md | 45 ++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 43 insertions(+), 2 deletions(-) Merged with the one small fix noted below ... > diff --git a/src/network_support.md b/src/network_support.md > index 36af1f4..1103c70 100644 > --- a/src/network_support.md > +++ b/src/network_support.md > @@ -452,11 +452,52 @@ Context type identifier has never been defined in any standard. Pluto is > configurable and defaults to '*32001*', this is the IPSEC Security > Association Attribute identifier reserved for private use. Racoon is > hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)* > -file must be configured as follows: > +configuration file *secctx-attr-type* entry must be set as shown in the > +following example: > > ``` > config setup > - secctx-attr-type=10 > + protostack=netkey > + plutodebug=all > + logfile=/var/log/pluto/pluto.log > + logappend=no > + # A "secctx-attr-type" MUST be present: > + secctx-attr-type=10 > + # Labeled IPSEC only supports the following values: > + # 10 = ECN_TUNNEL - Used by racoon(8) > + # 32001 = Default - Reserved for private use (see RFC 2407) > + # These are the "IPSEC Security Association Attributes" > + > +conn selinux_labeled_ipsec_test > + # ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2 > + # There is a draft IKEV2 labeled ipsec document (July '20) at: > + # https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 > + ikev2=no > + auto=start > + rekey=no > + authby=secret # set in '/etc/ipsec.secrets'. See NOTE > + type=transport > + left=192.168.1.198 > + right=192.168.1.148 > + ike=aes256-sha2 # See NOTE > + phase2=esp > + phase2alg=aes256 # See NOTE > + # The 'policy-label' entry is used to determine whether SELinux will > + # allow or deny the request using the labels from: > + # connection policy label from the applicable SAD entry > + # connection flow label from the applicable SPD entry (this is taken > + # from the 'conn <name> policy-label' entry). > + # selinux_check_access(SAD, SPD, "association", "polmatch", NULL); > + policy-label=system_u:object_r:ipsec_spd_t:s0 > + leftprotoport=tcp > + rightprotoport=tcp > + > +# NOTE: > +# The authentication methods and encryption algorithms should be chosen > +# with care and within the constraints of those available for > + interoperability. Missing a '#' in the line above. > +# Racoon is no longer actively supported and has a limited choice of > +# algorithms compared to LibreSwan. > ``` > > The Fedora version of racoon has added functionality to support -- paul moore www.paul-moore.com
