Joy Latten wrote: > On Tue, 2006-12-12 at 10:07 -0500, Paul Moore wrote: > >>Okay, can you provide a simple example of what commands/config I need to be >>able >>to ping across loopback? I would find that helpful and suspect others would >>as >>well ... or maybe I'm the only "slow" one ;) > > Sorry, I thought I had sent it and realized I had only sent it to Joe. > Here is what I did to get ping to work over loopback with labeled ipsec.
Thanks! > I configure ipsec in sysadm_r role. > > In file, setkey.loopback, I have the following > > add 127.0.0.1 127.0.0.1 esp 35590 > -m transport -ctx 1 1 "root:sysadm_r:ping_t:s0-s15:c0.c1023" > -E 3des-cbc "06183223c23a21e8b36c566b"; Hmmm, if I am following this correctly we are going to need to manually setup a SA for every context we want to send over loopback because racoon can't negotiate with itself? If that's the case I think we really need to get racoon working for loopback because I don't believe the current solution is very practical ... > spdadd 127.0.0.1 127.0.0.1 any -ctx 1 1 > "system_u:object_r:unlabeled_t:s0-s15:c0.c1023" > -P out ipsec esp/transport//require; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:unlabeled_t:s0-s15:c0.c1023" > -P in ipsec esp/transport//require; -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
