[redhat-lspp] using ah and esp protocols in ipsec

Paul Moore paul.moore at hp.com
Tue Oct 17 12:46:30 UTC 2006


On Monday 16 October 2006 7:56 pm, Klaus Weidner wrote:
> On Mon, Oct 16, 2006 at 05:20:46PM -0500, Joy Latten wrote:
> > When ipsec policy is specified as:
> >
> >  spdadd 9.3.189.57 9.3.192.210 any
> >  -ctx 1 1 "system_u:object_r:passwd_t:s3"
> >  -P out ipsec
> >  esp/transport//require ah/transport//require;
> >
> > Since I specified both esp and ah protocols,
> > racoon created 4 SAs, 2 for esp and 2 for AH.
> > All four SAs created had the following security context:
> > security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
> > (A ping resulted in the SAs being created.)
>
> Can you try establishing the SA by using a TCP connection instead of
> ping, for example from a "s2" or "s3" process in this case? Does that
> make any difference?

Another, sorta related concern, is the wrong SA still being used for 
getpeercon()?  If so that should probably be a bugzilla too.

-- 
paul moore
linux security @ hp




More information about the redhat-lspp mailing list