| Message ID | 20200906152721.16448-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | network_support: Update LibreSwan configuration | expand |
On 6.9.2020 18.27, Richard Haines wrote: > Update ipsec.conf file that describes the labeled ipsec entries. > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > This was used to test the updated LibreSwan that now supports > selinux_check_access(3) from https://github.com/libreswan/libreswan > > src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++-- > 1 file changed, 36 insertions(+), 2 deletions(-) > > diff --git a/src/network_support.md b/src/network_support.md > index 36af1f4..4a3fd38 100644 > --- a/src/network_support.md > +++ b/src/network_support.md > @@ -452,11 +452,45 @@ Context type identifier has never been defined in any standard. Pluto is > configurable and defaults to '*32001*', this is the IPSEC Security > Association Attribute identifier reserved for private use. Racoon is > hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)* > -file must be configured as follows: > +configuration file *secctx-attr-type* entry must be set as shown in the > +following example: > > ``` > config setup > - secctx-attr-type=10 > + protostack=netkey > + plutodebug=all > + logfile=/var/log/pluto/pluto.log > + logappend=no > + # A "secctx-attr-type" MUST be present: > + secctx-attr-type=10 > + # Labeled IPSEC only supports the following values: > + # 10 = ECN_TUNNEL - Used by racoon(8) > + # 32001 = Default - Reserved for private use (see RFC 2407) > + # These are the "IPSEC Security Association Attributes" > + > +conn selinux_labeled_ipsec_test > + # ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2 > + # There is a draft IKEV2 labeled ipsec document (July '20) at: > + # https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 > + ikev2=no > + auto=start > + rekey=no > + authby=secret # set in '/etc/ipsec.secrets' > + type=transport > + left=192.168.1.198 > + right=192.168.1.148 > + ike=3des-sha1 Since this configuration may set an example for less experienced users who may just copy this without much understanding, would it be possible to use a more modern crypto algorithm? Also libreswan documentation tells that sha1 will be obsoleted in near future. Would something like "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup. https://libreswan.org/man/ipsec.conf.5.html > + phase2=esp > + phase2alg=3des-sha1 How about "phase2alg=aes_gcm256"? -Topi
On Sun, 2020-09-06 at 21:11 +0300, Topi Miettinen wrote: > On 6.9.2020 18.27, Richard Haines wrote: > > Update ipsec.conf file that describes the labeled ipsec entries. > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > > --- > > This was used to test the updated LibreSwan that now supports > > selinux_check_access(3) from https://github.com/libreswan/libreswan > > > > src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++- > > - > > 1 file changed, 36 insertions(+), 2 deletions(-) > > > > diff --git a/src/network_support.md b/src/network_support.md > > index 36af1f4..4a3fd38 100644 > > --- a/src/network_support.md > > +++ b/src/network_support.md > > @@ -452,11 +452,45 @@ Context type identifier has never been > > defined in any standard. Pluto is > > configurable and defaults to '*32001*', this is the IPSEC > > Security > > Association Attribute identifier reserved for private use. Racoon > > is > > hard coded to a value of '*10*', therefore the pluto > > ***ipsec.conf**(5)* > > -file must be configured as follows: > > +configuration file *secctx-attr-type* entry must be set as shown > > in the > > +following example: > > > > ``` > > config setup > > - secctx-attr-type=10 > > + protostack=netkey > > + plutodebug=all > > + logfile=/var/log/pluto/pluto.log > > + logappend=no > > + # A "secctx-attr-type" MUST be present: > > + secctx-attr-type=10 > > + # Labeled IPSEC only supports the following values: > > + # 10 = ECN_TUNNEL - Used by racoon(8) > > + # 32001 = Default - Reserved for private use (see RFC 2407) > > + # These are the "IPSEC Security Association Attributes" > > + > > +conn selinux_labeled_ipsec_test > > + # ikev2 MUST be "no" as labeled ipsec is not yet supported by > > IKEV2 > > + # There is a draft IKEV2 labeled ipsec document (July '20) at: > > + # > > https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 > > + ikev2=no > > + auto=start > > + rekey=no > > + authby=secret # set in '/etc/ipsec.secrets' > > + type=transport > > + left=192.168.1.198 > > + right=192.168.1.148 > > + ike=3des-sha1 > > Since this configuration may set an example for less experienced > users > who may just copy this without much understanding, would it be > possible > to use a more modern crypto algorithm? Also libreswan documentation > tells that sha1 will be obsoleted in near future. Would something > like > "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup. > > https://libreswan.org/man/ipsec.conf.5.html > > > + phase2=esp > > + phase2alg=3des-sha1 > > How about "phase2alg=aes_gcm256"? Thanks for the feedback. It appears that racoon does not support aes gcm types so I've changed them to aes256 and added some comments. This config does work LibreSwan - Racoon. Is this ok ??? ... ike=aes256-sha2 # See NOTE phase2=esp phase2alg=aes256 # See NOTE ... # NOTE: # The encryption algorithms should be chosen with care and within the # constraints of those available for interoperability. # Racoon is no longer actively supported and has a limited choice of # algorithms compared to LibreSwan. > > -Topi
On 7.9.2020 18.20, Richard Haines wrote: > On Sun, 2020-09-06 at 21:11 +0300, Topi Miettinen wrote: >> On 6.9.2020 18.27, Richard Haines wrote: >>> Update ipsec.conf file that describes the labeled ipsec entries. >>> >>> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> >>> --- >>> This was used to test the updated LibreSwan that now supports >>> selinux_check_access(3) from https://github.com/libreswan/libreswan >>> >>> src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++- >>> - >>> 1 file changed, 36 insertions(+), 2 deletions(-) >>> >>> diff --git a/src/network_support.md b/src/network_support.md >>> index 36af1f4..4a3fd38 100644 >>> --- a/src/network_support.md >>> +++ b/src/network_support.md >>> @@ -452,11 +452,45 @@ Context type identifier has never been >>> defined in any standard. Pluto is >>> configurable and defaults to '*32001*', this is the IPSEC >>> Security >>> Association Attribute identifier reserved for private use. Racoon >>> is >>> hard coded to a value of '*10*', therefore the pluto >>> ***ipsec.conf**(5)* >>> -file must be configured as follows: >>> +configuration file *secctx-attr-type* entry must be set as shown >>> in the >>> +following example: >>> >>> ``` >>> config setup >>> - secctx-attr-type=10 >>> + protostack=netkey >>> + plutodebug=all >>> + logfile=/var/log/pluto/pluto.log >>> + logappend=no >>> + # A "secctx-attr-type" MUST be present: >>> + secctx-attr-type=10 >>> + # Labeled IPSEC only supports the following values: >>> + # 10 = ECN_TUNNEL - Used by racoon(8) >>> + # 32001 = Default - Reserved for private use (see RFC 2407) >>> + # These are the "IPSEC Security Association Attributes" >>> + >>> +conn selinux_labeled_ipsec_test >>> + # ikev2 MUST be "no" as labeled ipsec is not yet supported by >>> IKEV2 >>> + # There is a draft IKEV2 labeled ipsec document (July '20) at: >>> + # >>> https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 >>> + ikev2=no >>> + auto=start >>> + rekey=no >>> + authby=secret # set in '/etc/ipsec.secrets' >>> + type=transport >>> + left=192.168.1.198 >>> + right=192.168.1.148 >>> + ike=3des-sha1 >> >> Since this configuration may set an example for less experienced >> users >> who may just copy this without much understanding, would it be >> possible >> to use a more modern crypto algorithm? Also libreswan documentation >> tells that sha1 will be obsoleted in near future. Would something >> like >> "ike=aes_gcm256-sha2" work? I don't have a working libreswan setup. >> >> https://libreswan.org/man/ipsec.conf.5.html >> >>> + phase2=esp >>> + phase2alg=3des-sha1 >> >> How about "phase2alg=aes_gcm256"? > > Thanks for the feedback. It appears that racoon does not support aes > gcm types so I've changed them to aes256 and added some comments. This > config does work LibreSwan - Racoon. Is this ok ??? Looks good to me with the caveat that I don't know much about Libreswan, Racoon and I'm not a crypto expert. > > ... > ike=aes256-sha2 # See NOTE > phase2=esp > phase2alg=aes256 # See NOTE > ... > > # NOTE: > # The encryption algorithms should be chosen with care and within the > # constraints of those available for interoperability. > # Racoon is no longer actively supported and has a limited choice of > # algorithms compared to LibreSwan. This is also a great note. -Topi
diff --git a/src/network_support.md b/src/network_support.md index 36af1f4..4a3fd38 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -452,11 +452,45 @@ Context type identifier has never been defined in any standard. Pluto is configurable and defaults to '*32001*', this is the IPSEC Security Association Attribute identifier reserved for private use. Racoon is hard coded to a value of '*10*', therefore the pluto ***ipsec.conf**(5)* -file must be configured as follows: +configuration file *secctx-attr-type* entry must be set as shown in the +following example: ``` config setup - secctx-attr-type=10 + protostack=netkey + plutodebug=all + logfile=/var/log/pluto/pluto.log + logappend=no + # A "secctx-attr-type" MUST be present: + secctx-attr-type=10 + # Labeled IPSEC only supports the following values: + # 10 = ECN_TUNNEL - Used by racoon(8) + # 32001 = Default - Reserved for private use (see RFC 2407) + # These are the "IPSEC Security Association Attributes" + +conn selinux_labeled_ipsec_test + # ikev2 MUST be "no" as labeled ipsec is not yet supported by IKEV2 + # There is a draft IKEV2 labeled ipsec document (July '20) at: + # https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec-03 + ikev2=no + auto=start + rekey=no + authby=secret # set in '/etc/ipsec.secrets' + type=transport + left=192.168.1.198 + right=192.168.1.148 + ike=3des-sha1 + phase2=esp + phase2alg=3des-sha1 + # The 'policy-label' entry is used to determine whether SELinux will + # allow or deny the request using the labels from: + # connection policy label from the applicable SAD entry + # connection flow label from the applicable SPD entry (this is taken + # from the 'conn <name> policy-label' entry). + # selinux_check_access(SAD, SPD, "association", "polmatch", NULL); + policy-label=system_u:object_r:ipsec_spd_t:s0 + leftprotoport=tcp + rightprotoport=tcp ``` The Fedora version of racoon has added functionality to support
Update ipsec.conf file that describes the labeled ipsec entries. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- This was used to test the updated LibreSwan that now supports selinux_check_access(3) from https://github.com/libreswan/libreswan src/network_support.md | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-)