I recently had to tell someone how to configure labeled ipsec.
I thought it might be useful to send to this list also.
I realize that I need to still write a decent "Labeled IPsec"
doc and will do so as soon as I get a chance. In the meantime
this "howto" is minimal and serves the basic purpose for anyone
interested in using or testing.
Regards,
Joy
P.S. Sorry but my steps for echoing to setkey tended to wrap
around.
======================================================================================
Configuring regular and labeled ipsec.
Note that the type ipsec_spd_t in the policy's security label
is the default type for ipsec policy in the SELinux policy.
Current SELinux policy allows most all SA types generated
to polmatch with this type. If you decide to create your own ipsec
policy type, you will need to add a policy module such that any SA types
generated as a result of the policy will polmatch to it.
You will also need to allow racoon and setkey to setcontext for the
new policy type you wish to add.
Requirements:
- 2 machines are required.
- SELinux is enabled.
- LSPP configuration has been installed.
- set IP_A and IP_B to be environment variables containing
the IP address of machine A and machine B. These need to
be set on both machine A and B. If you do not wish to use
environment variables, just replace $IP_A and $IP_B with
the ip addresses of machine A and B in the steps below.
A. How to configure labeled ipsec.
Step 1. Configure IPSec Policy on Machine A using the setkey command.
echo 'spdadd $IP_B $IP_A any -ctx 1 1
"system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" -P in ipsec
esp/transport//require;' | setkey -c
echo 'spdadd $IP_A $IP_B any -ctx 1 1
"system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" -P out ipsec
esp/transport//require;' | setkey -c
Step 2. Configure IPSec Policy on Machine B using the setkey command.
echo 'spdadd $IP_B $IP_A any -ctx 1 1
"system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" -P out ipsec
esp/transport//require;' | setkey -c
echo 'spdadd $IP_A $IP_B any -ctx 1 1
"system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" -P in ipsec
esp/transport//require;' | setkey -c
Step 3. Configure racoon.conf on Macine A and Machine B
A minimal example of the /etc/racoon/racoon.conf file:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 hours; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des, aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Step 4. Add entries into the psk.txt to identify the shared secret.
Feel free to use something else besides "flibbertigibbet"
echo "$IP_A flibbertigibbet" > /etc/racoon/psk.txt
echo "$IP_B flibbertigibbet" > /etc/racoon/psk.txt
Step 5. Start racoon on the command line.
racoon
Step 6. DONE. From machine A, ping machine B to verify the ipsec
connection is complete and ready.
ping $IP_B
*****NOTE: If you are using an lspp kernel before 65, then IPSec
***** drops the first packet because racoon daemon needs to
establish an SA. So, after your first ping, wait a few
seconds and then do the ping again. This has been fixed
in the latest lspp kernel, so if you are using lspp 65-67
kernel, you won't have to do this.
If the ping is unsuccessful, review steps 1, 2, 3, 4, 5.
Step 7. How to remove IPSec when done. Perform these steps on
both machine A and machine B.
pkill racoon (stop the IKE daemon)
setkey -FP (flush all ipsec policy from SPD)
B. How to configure regular IPSec.
The only difference between configuring labeled ipsec and regular
ipsec are steps 1 and 2. Remove labeled ipsec config before
installing regular ipsec. I suspect you can have both labeled and
regular ipsec but NOT on the same traffic streams. (I have not tried
this yet.)
Step 1. Configure IPSec Policy on Machine A using the setkey command.
echo "spdadd $IP_B $IP_A any -P in ipsec esp/transport//require;" |
setkey -c
echo "spdadd $IP_A $IP_B any -P out ipsec esp/transport//require;" |
setkey -c
Step 2. Configure IPSec Policy on Machine B using the setkey command.
echo "spdadd $IP_B $IP_A any -P out ipsec
esp/transport//require;" | setkey -c
echo "spdadd $IP_A $IP_B any -P in ipsec
esp/transport//require;" | setkey -c
Step 3. If you have not changed the racoon.conf or psk.txt files from
above, then at this point you can skip to steps 5-7 in "How to
configure labeled ipsec". Otherwise, go to steps 3-7 in "How to
configure regular ipsec".
If you have any questions or encounter any problems, please let me know.
Regards,
Joy
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
