[redhat-lspp] using ah and esp protocols in ipsec
Joy Latten
latten at austin.ibm.com
Wed Oct 18 01:23:50 UTC 2006
Hi Venkat,
It is possible that I am just tired :-), but when I downloaded and
installed the 52 kernel on my pseries boxes, the SAs were no longer
being created based on the socket.
My spd contained:
spdadd 9.3.189.57 9.3.192.210 any -ctx 1 1
"system_u:object_r:passwd_t:s0:c0" -P out ipsec
esp/transport//require;
spdadd 9.3.192.210 9.3.189.57 any -ctx 1 1
"system_u:object_r:passwd_t:s0:c0" -P in ipsec
esp/transport//require;
But racoon created following SAs:
9.3.192.210 9.3.189.57
esp mode=transport spi=34338755(0x020bf7c3) reqid=0(0x00000000)
E: aes-cbc 61d52049 38273364 09c7f603 ebd0ce28
A: hmac-sha1 f5453542 2e16bbb9 b56e3e33 317b00d5 39331e0d
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 17 19:57:05 2006 current: Oct 17 19:58:51 2006
diff: 106(s) hard: 180(s) soft: 144(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
security context doi: 1
security context algorithm: 1
security context length: 43
security context: system_u:object_r:passwd_t:s0-s15:c0.c1023
sadb_seq=1 pid=3404 refcnt=0
9.3.189.57 9.3.192.210
esp mode=transport spi=157682297(0x09660a79) reqid=0(0x00000000)
E: aes-cbc 896198a8 d3dfb189 a2082d0f 4a745855
A: hmac-sha1 daa62bee ccd6cf07 dfee6fff a87abd9a b1b379ce
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 17 19:57:05 2006 current: Oct 17 19:58:51 2006
diff: 106(s) hard: 180(s) soft: 144(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
security context doi: 1
security context algorithm: 1
security context length: 43
security context: system_u:object_r:passwd_t:s0-s15:c0.c1023
sadb_seq=0 pid=3404 refcnt=0
I am not sure what to look for to verify that your socket patches are
in the 52 kernel, but I'll try and take a look tomorrow morning. It was
working in eric's kernel.
Joy
On Tue, 2006-10-17 at 14:00 -0500, Venkat Yekkirala wrote:
> Hi Joy,
>
> Could you please tell me if you have the secid patches
> on your kernel. I ask because that's what has got the
> change where an SA gets the label from the creating
> socket/flow.
>
> As for the MLS portion, it should be whatever level ping is
> running at. Also, are you running in permissive?
>
> Thanks,
>
> venkat
>
> PS: Sorry I seem to have missed your past query on this.
>
> > -----Original Message-----
> > From: Joy Latten [mailto:latten at austin.ibm.com]
> > Sent: Monday, October 16, 2006 5:21 PM
> > To: paul.moore at hp.com
> > Cc: redhat-lspp at redhat.com
> > Subject: [redhat-lspp] using ah and esp protocols in ipsec
> >
> >
> > Paul,
> >
> > When ipsec policy is specified as:
> >
> > spdadd 9.3.189.57 9.3.192.210 any
> > -ctx 1 1 "system_u:object_r:passwd_t:s3"
> > -P out ipsec
> > esp/transport//require ah/transport//require;
> >
> > Since I specified both esp and ah protocols,
> > racoon created 4 SAs, 2 for esp and 2 for AH.
> > All four SAs created had the following security context:
> > security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
> > (A ping resulted in the SAs being created.)
> >
> > Hope this helps. Let me know if there is anything else I
> > can help with.
> >
More information about the redhat-lspp
mailing list