* [PATCH] network_support: Update LibreSwan configuration
@ 2020-09-06 15:27 Richard Haines
2020-09-06 18:11 ` Topi Miettinen
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2020-09-06 15:27 UTC (permalink / raw)
To: paul, selinux; +Cc: Richard Haines
Update ipsec.conf file that describes the labeled ipsec entries.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
This was used to test the updated LibreSwan that now supports
selinux_check_access(3) from https://github.com/libreswan/libreswan
src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++--
1 file changed, 36 insertions(+), 2 deletions(-)
diff --git a/src/network_support.md b/src/network_support.md
index 36af1f4..4a3fd38 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -452,11 +452,45 @@ Context type identifier has never been defined in any standard. Pluto is
configurable and defaults to '*32001*', this is the IPSEC Security
Association Attribute identifier reserved for private use. Racoon is
hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)*
-file must be configured as follows:
+configuration file *secctx-attr-type* entry must be set as shown in the
+following example:
```
config setup
- secctx-attr-type=10
+ protostack=netkey
+ plutodebug=all
+ logfile=/var/log/pluto/pluto.log
+ logappend=no
+ # A "secctx-attr-type" MUST be present:
+ secctx-attr-type=10
+ # Labeled IPSEC only supports the following values:
+ # 10 = ECN_TUNNEL - Used by racoon(8)
+ # 32001 = Default - Reserved for private use (see RFC 2407)
+ # These are the "IPSEC Security Association Attributes"
+
+conn selinux_labeled_ipsec_test
+ # ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2
+ # There is a draft IKEV2 labeled ipsec document (July '20) at:
+ # https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03
+ ikev2=no
+ auto=start
+ rekey=no
+ authby=secret # set in '/etc/ipsec.secrets'
+ type=transport
+ left=192.168.1.198
+ right=192.168.1.148
+ ike=3des-sha1
+ phase2=esp
+ phase2alg=3des-sha1
+ # The 'policy-label' entry is used to determine whether SELinux will
+ # allow or deny the request using the labels from:
+ # connection policy label from the applicable SAD entry
+ # connection flow label from the applicable SPD entry (this is taken
+ # from the 'conn <name> policy-label' entry).
+ # selinux_check_access(SAD, SPD, "association", "polmatch", NULL);
+ policy-label=system_u:object_r:ipsec_spd_t:s0
+ leftprotoport=tcp
+ rightprotoport=tcp
```
The Fedora version of racoon has added functionality to support
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] network_support: Update LibreSwan configuration
2020-09-06 15:27 [PATCH] network_support: Update LibreSwan configuration Richard Haines
@ 2020-09-06 18:11 ` Topi Miettinen
2020-09-07 15:20 ` Richard Haines
0 siblings, 1 reply; 4+ messages in thread
From: Topi Miettinen @ 2020-09-06 18:11 UTC (permalink / raw)
To: Richard Haines, paul, selinux
On 6.9.2020 18.27, Richard Haines wrote:
> Update ipsec.conf file that describes the labeled ipsec entries.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> This was used to test the updated LibreSwan that now supports
> selinux_check_access(3) from https://github.com/libreswan/libreswan
>
> src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++--
> 1 file changed, 36 insertions(+), 2 deletions(-)
>
> diff --git a/src/network_support.md b/src/network_support.md
> index 36af1f4..4a3fd38 100644
> --- a/src/network_support.md
> +++ b/src/network_support.md
> @@ -452,11 +452,45 @@ Context type identifier has never been defined in any standard. Pluto is
> configurable and defaults to '*32001*', this is the IPSEC Security
> Association Attribute identifier reserved for private use. Racoon is
> hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)*
> -file must be configured as follows:
> +configuration file *secctx-attr-type* entry must be set as shown in the
> +following example:
>
> ```
> config setup
> - secctx-attr-type=10
> + protostack=netkey
> + plutodebug=all
> + logfile=/var/log/pluto/pluto.log
> + logappend=no
> + # A "secctx-attr-type" MUST be present:
> + secctx-attr-type=10
> + # Labeled IPSEC only supports the following values:
> + # 10 = ECN_TUNNEL - Used by racoon(8)
> + # 32001 = Default - Reserved for private use (see RFC 2407)
> + # These are the "IPSEC Security Association Attributes"
> +
> +conn selinux_labeled_ipsec_test
> + # ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2
> + # There is a draft IKEV2 labeled ipsec document (July '20) at:
> + # https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03
> + ikev2=no
> + auto=start
> + rekey=no
> + authby=secret # set in '/etc/ipsec.secrets'
> + type=transport
> + left=192.168.1.198
> + right=192.168.1.148
> + ike=3des-sha1
Since this configuration may set an example for less experienced users
who may just copy this without much understanding, would it be possible
to use a more modern crypto algorithm? Also libreswan documentation
tells that sha1 will be obsoleted in near future. Would something like
"ike=aes_gcm256-sha2" work? I don't have a working libreswan setup.
https://libreswan.org/man/ipsec.conf.5.html
> + phase2=esp
> + phase2alg=3des-sha1
How about "phase2alg=aes_gcm256"?
-Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] network_support: Update LibreSwan configuration
2020-09-06 18:11 ` Topi Miettinen
@ 2020-09-07 15:20 ` Richard Haines
2020-09-08 6:58 ` Topi Miettinen
0 siblings, 1 reply; 4+ messages in thread
From: Richard Haines @ 2020-09-07 15:20 UTC (permalink / raw)
To: Topi Miettinen; +Cc: paul, selinux
On Sun, 2020-09-06 at 21:11 +0300, Topi Miettinen wrote:
> On 6.9.2020 18.27, Richard Haines wrote:
> > Update ipsec.conf file that describes the labeled ipsec entries.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> > This was used to test the updated LibreSwan that now supports
> > selinux_check_access(3) from https://github.com/libreswan/libreswan
> >
> > src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++-
> > -
> > 1 file changed, 36 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/network_support.md b/src/network_support.md
> > index 36af1f4..4a3fd38 100644
> > --- a/src/network_support.md
> > +++ b/src/network_support.md
> > @@ -452,11 +452,45 @@ Context type identifier has never been
> > defined in any standard. Pluto is
> > configurable and defaults to '*32001*', this is the IPSEC
> > Security
> > Association Attribute identifier reserved for private use. Racoon
> > is
> > hard coded to a value of '*10*', therefore the pluto
> > ***ipsec.conf**(5)*
> > -file must be configured as follows:
> > +configuration file *secctx-attr-type* entry must be set as shown
> > in the
> > +following example:
> >
> > ```
> > config setup
> > - secctx-attr-type=10
> > + protostack=netkey
> > + plutodebug=all
> > + logfile=/var/log/pluto/pluto.log
> > + logappend=no
> > + # A "secctx-attr-type" MUST be present:
> > + secctx-attr-type=10
> > + # Labeled IPSEC only supports the following values:
> > + # 10 = ECN_TUNNEL - Used by racoon(8)
> > + # 32001 = Default - Reserved for private use (see RFC 2407)
> > + # These are the "IPSEC Security Association Attributes"
> > +
> > +conn selinux_labeled_ipsec_test
> > + # ikev2 MUST be "no" as labeled ipsec is not yet supported by
> > IKEV2
> > + # There is a draft IKEV2 labeled ipsec document (July '20) at:
> > + #
> > https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03
> > + ikev2=no
> > + auto=start
> > + rekey=no
> > + authby=secret # set in '/etc/ipsec.secrets'
> > + type=transport
> > + left=192.168.1.198
> > + right=192.168.1.148
> > + ike=3des-sha1
>
> Since this configuration may set an example for less experienced
> users
> who may just copy this without much understanding, would it be
> possible
> to use a more modern crypto algorithm? Also libreswan documentation
> tells that sha1 will be obsoleted in near future. Would something
> like
> "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup.
>
> https://libreswan.org/man/ipsec.conf.5.html
>
> > + phase2=esp
> > + phase2alg=3des-sha1
>
> How about "phase2alg=aes_gcm256"?
Thanks for the feedback. It appears that racoon does not support aes
gcm types so I've changed them to aes256 and added some comments. This
config does work LibreSwan - Racoon. Is this ok ???
...
ike=aes256-sha2 # See NOTE
phase2=esp
phase2alg=aes256 # See NOTE
...
# NOTE:
# The encryption algorithms should be chosen with care and within the
# constraints of those available for interoperability.
# Racoon is no longer actively supported and has a limited choice of
# algorithms compared to LibreSwan.
>
> -Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] network_support: Update LibreSwan configuration
2020-09-07 15:20 ` Richard Haines
@ 2020-09-08 6:58 ` Topi Miettinen
0 siblings, 0 replies; 4+ messages in thread
From: Topi Miettinen @ 2020-09-08 6:58 UTC (permalink / raw)
To: Richard Haines; +Cc: paul, selinux
On 7.9.2020 18.20, Richard Haines wrote:
> On Sun, 2020-09-06 at 21:11 +0300, Topi Miettinen wrote:
>> On 6.9.2020 18.27, Richard Haines wrote:
>>> Update ipsec.conf file that describes the labeled ipsec entries.
>>>
>>> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
>>> ---
>>> This was used to test the updated LibreSwan that now supports
>>> selinux_check_access(3) from https://github.com/libreswan/libreswan
>>>
>>> src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++-
>>> -
>>> 1 file changed, 36 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/src/network_support.md b/src/network_support.md
>>> index 36af1f4..4a3fd38 100644
>>> --- a/src/network_support.md
>>> +++ b/src/network_support.md
>>> @@ -452,11 +452,45 @@ Context type identifier has never been
>>> defined in any standard. Pluto is
>>> configurable and defaults to '*32001*', this is the IPSEC
>>> Security
>>> Association Attribute identifier reserved for private use. Racoon
>>> is
>>> hard coded to a value of '*10*', therefore the pluto
>>> ***ipsec.conf**(5)*
>>> -file must be configured as follows:
>>> +configuration file *secctx-attr-type* entry must be set as shown
>>> in the
>>> +following example:
>>>
>>> ```
>>> config setup
>>> - secctx-attr-type=10
>>> + protostack=netkey
>>> + plutodebug=all
>>> + logfile=/var/log/pluto/pluto.log
>>> + logappend=no
>>> + # A "secctx-attr-type" MUST be present:
>>> + secctx-attr-type=10
>>> + # Labeled IPSEC only supports the following values:
>>> + # 10 = ECN_TUNNEL - Used by racoon(8)
>>> + # 32001 = Default - Reserved for private use (see RFC 2407)
>>> + # These are the "IPSEC Security Association Attributes"
>>> +
>>> +conn selinux_labeled_ipsec_test
>>> + # ikev2 MUST be "no" as labeled ipsec is not yet supported by
>>> IKEV2
>>> + # There is a draft IKEV2 labeled ipsec document (July '20) at:
>>> + #
>>> https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03
>>> + ikev2=no
>>> + auto=start
>>> + rekey=no
>>> + authby=secret # set in '/etc/ipsec.secrets'
>>> + type=transport
>>> + left=192.168.1.198
>>> + right=192.168.1.148
>>> + ike=3des-sha1
>>
>> Since this configuration may set an example for less experienced
>> users
>> who may just copy this without much understanding, would it be
>> possible
>> to use a more modern crypto algorithm? Also libreswan documentation
>> tells that sha1 will be obsoleted in near future. Would something
>> like
>> "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup.
>>
>> https://libreswan.org/man/ipsec.conf.5.html
>>
>>> + phase2=esp
>>> + phase2alg=3des-sha1
>>
>> How about "phase2alg=aes_gcm256"?
>
> Thanks for the feedback. It appears that racoon does not support aes
> gcm types so I've changed them to aes256 and added some comments. This
> config does work LibreSwan - Racoon. Is this ok ???
Looks good to me with the caveat that I don't know much about Libreswan,
Racoon and I'm not a crypto expert.
>
> ...
> ike=aes256-sha2 # See NOTE
> phase2=esp
> phase2alg=aes256 # See NOTE
> ...
>
> # NOTE:
> # The encryption algorithms should be chosen with care and within the
> # constraints of those available for interoperability.
> # Racoon is no longer actively supported and has a limited choice of
> # algorithms compared to LibreSwan.
This is also a great note.
-Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-08 6:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-06 15:27 [PATCH] network_support: Update LibreSwan configuration Richard Haines
2020-09-06 18:11 ` Topi Miettinen
2020-09-07 15:20 ` Richard Haines
2020-09-08 6:58 ` Topi Miettinen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.