[redhat-lspp] using ah and esp protocols in ipsec

Joy Latten latten at austin.ibm.com
Wed Oct 18 01:23:50 UTC 2006 

Hi Venkat,

It is possible that I am just tired :-), but when I downloaded and
installed the 52 kernel on my pseries boxes, the SAs were no longer
being created based on the socket.

My spd contained:

spdadd 9.3.189.57 9.3.192.210 any -ctx 1 1
"system_u:object_r:passwd_t:s0:c0" -P out ipsec
        esp/transport//require;

spdadd 9.3.192.210 9.3.189.57 any -ctx 1 1
"system_u:object_r:passwd_t:s0:c0" -P in ipsec
        esp/transport//require;

But racoon created following SAs:
9.3.192.210 9.3.189.57
        esp mode=transport spi=34338755(0x020bf7c3) reqid=0(0x00000000)
        E: aes-cbc  61d52049 38273364 09c7f603 ebd0ce28
        A: hmac-sha1  f5453542 2e16bbb9 b56e3e33 317b00d5 39331e0d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct 17 19:57:05 2006   current: Oct 17 19:58:51 2006
        diff: 106(s)    hard: 180(s)    soft: 144(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        security context doi: 1
        security context algorithm: 1
        security context length: 43
        security context: system_u:object_r:passwd_t:s0-s15:c0.c1023
        sadb_seq=1 pid=3404 refcnt=0
9.3.189.57 9.3.192.210
        esp mode=transport spi=157682297(0x09660a79) reqid=0(0x00000000)
        E: aes-cbc  896198a8 d3dfb189 a2082d0f 4a745855
        A: hmac-sha1  daa62bee ccd6cf07 dfee6fff a87abd9a b1b379ce
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct 17 19:57:05 2006   current: Oct 17 19:58:51 2006
        diff: 106(s)    hard: 180(s)    soft: 144(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        security context doi: 1
        security context algorithm: 1
        security context length: 43
        security context: system_u:object_r:passwd_t:s0-s15:c0.c1023
        sadb_seq=0 pid=3404 refcnt=0

I am not sure what to look for to verify that your socket patches are
in the 52 kernel, but I'll try and take a look tomorrow morning. It was
working in eric's kernel.

Joy


On Tue, 2006-10-17 at 14:00 -0500, Venkat Yekkirala wrote:
> Hi Joy,
> 
> Could you please tell me if you have the secid patches
> on your kernel. I ask because that's what has got the
> change where an SA gets the label from the creating
> socket/flow.
> 
> As for the MLS portion, it should be whatever level ping is
> running at. Also, are you running in permissive?
> 
> Thanks,
> 
> venkat
> 
> PS: Sorry I seem to have missed your past query on this.
> 
> > -----Original Message-----
> > From: Joy Latten [mailto:latten at austin.ibm.com]
> > Sent: Monday, October 16, 2006 5:21 PM
> > To: paul.moore at hp.com
> > Cc: redhat-lspp at redhat.com
> > Subject: [redhat-lspp] using ah and esp protocols in ipsec
> > 
> > 
> > Paul,
> > 
> > When ipsec policy is specified as:
> >  
> >  spdadd 9.3.189.57 9.3.192.210 any 
> >  -ctx 1 1 "system_u:object_r:passwd_t:s3" 
> >  -P out ipsec
> >  esp/transport//require ah/transport//require;
> > 
> > Since I specified both esp and ah protocols,
> > racoon created 4 SAs, 2 for esp and 2 for AH.
> > All four SAs created had the following security context:
> > security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
> > (A ping resulted in the SAs being created.)
> > 
> > Hope this helps. Let me know if there is anything else I 
> > can help with.
> >

More information about the redhat-lspp mailing list