Re: Openswan on FC4/5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 26 Jun 2006 09:22:26 +0100
Stuart James <stuart(a)secpay.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
We are using Openswan to connect two of our sites together via an
IPSEC tunnel. Recently we upgraded from FC3 to FC5 on our frontend
firewalls, including the version of openswan , selinux policy,
kernel ,ect. We used to run in enforcing mode without any
difficulties, it now seems that with Enforcing mode on Openswan does
not seem to be able to add the route.
Using setenforce 0 , the tunnel becomes active. As far as i can
tell Openswan has difficulty adding the route to the Right/Left
nexthop, although the status of the tunnel appears to be up, the
routing does not appear to take place.
#audit2allow -a -t /var/log/audit/audit.log
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
I've followed this up in more detail, adding to
/usr/src/redhat/SOURCES/serefpolicy-2.2.43/policy/modules/system/sysnetwork.te
# IPsec
allow ifconfig_t self:netlink_xfrm_socket create;
allow ifconfig_t initrc_t:unix_stream_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket setopt;
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t self:netlink_xfrm_socket { bind setopt };
allow ifconfig_t self:netlink_xfrm_socket bind;
allow ifconfig_t self:netlink_xfrm_socket read;
allow ifconfig_t self:netlink_xfrm_socket { bind getattr };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr write };
allow ifconfig_t self:netlink_xfrm_socket { bind getattr nlmsg_read
write };
As every time i added this, and recompiled the source for the targeted
policy, i got new errors in the audit.log. Although i have added
allow ifconfig_t self:netlink_xfrm_socket read;
I still get it in my audit.log
When ipsec restarts
Shutting down IPsec: Stopping Openswan IPsec...
Cannot talk to rtnetlink: Invalid argument
Cannot talk to rtnetlink: Invalid argument
[ OK ]
Starting IPsec: Starting Openswan IPsec 2.4.4...
insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/key/af_key.ko
insmod /lib/modules/2.6.16-1.2122_FC5/kernel/net/ipv4/xfrm4_tunnel.ko
Cannot talk to rtnetlink: Invalid argument
Cannot talk to rtnetlink: Invalid argument
Any help with this would be great.
Regards,
- --
Stuart James
System Administrator
DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEoRsIr8LwOCpshrYRAsR5AJ9VPKF/6310yBfZ2RJ8ZLrGBRjQKgCeKjux
BKdoOAYwqOxIxVAauFp3M+4=
=g+FV
-----END PGP SIGNATURE-----