>>>>>>>>>>cut>>>>>>>>>> westinit.sh <<<<<<<<< /proc/sys/net/core/xfrm_acq_expires [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec auto --add labeled 002 "labeled": added IKEv2 connection [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo "initdone" initdone [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# >>>>>>>>>>cut>>>>>>>>>> westrun.sh <<<<<<<<</proc/sys/net/ipv4/tcp_tw_reuse [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec auto --up labeled 181 "labeled" #1: initiating IKEv2 connection 181 "labeled" #1: sent IKE_SA_INIT request 002 "labeled" #1: omitting CHILD SA payloads 182 "labeled" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 003 "labeled" #1: initiator established IKE SA; authenticated using RSASSA-PSS with SHA2_512 and preloaded certificate '@east' [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# # expect policy but no states [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/ipsec-look.sh ==== cut ==== DUMP IN: OUTPUT/west.ipsec-look.825.log ==== tuc ==== west Sat May 14 13:34:43 EDT 2022 XFRM state: XFRM policy: src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir fwd priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir in priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 security context system_u:object_r:ipsec_spd_t:s0 dir out priority 1753281 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid 16389 mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 proto static 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 proto static onlink 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# # trigger an acquire; both ends initiate Child SA [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo "quit" | runcon -t netutils_t nc -w 50 -p 4301 -vvv 192.1.2.23 4300 2>&1 | sed "s/received in .*$/received .../" Ncat: Version 7.92 ( https://nmap.org/ncat ) NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt. NCAT DEBUG: Unable to load trusted CA certificates from /usr/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory libnsock nsock_iod_new2(): nsock_iod_new (IOD #1) libnsock nsock_connect_tcp(): TCP connection requested to 192.1.2.23:4300 (IOD #1) EID 8 libnsock mksock_bind_addr(): Binding to 0.0.0.0:4301 (IOD #1) [ 34.314438] alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106(gcm_base(ctr(aes-generic),ghash-generic)))) libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.1.2.23:4300] Ncat: Connected to 192.1.2.23:4300. libnsock nsock_iod_new2(): nsock_iod_new (IOD #2) libnsock nsock_read(): Read request from IOD #1 [192.1.2.23:4300] (timeout: -1ms) EID 18 libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26 libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit. libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.1.2.23:4300] libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.1.2.23:4300] libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42 libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified] libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 18 [192.1.2.23:4300] Ncat: 5 bytes sent, 0 bytes received ... libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1) libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2) [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/wait-for.sh --match 'labeled..2.' ipsec trafficstatus 006 #3: "labeled"[2] 192.1.2.23, type=ESP, add_time=0, inBytes=164, outBytes=0, id='@east' [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# # no shunts; two transports; two x two states [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec shuntstatus 000 Bare Shunt list: 000 [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec showstates 000 #1: "labeled":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27804s; REPLACE in 28797s; newest; idle; 000 #2: "labeled"[1] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28045s; REPLACE in 28797s; newest; IKE SA #1; idle; 000 #2: "labeled"[1] 192.1.2.23 esp.141380a2@192.1.2.23 esp.a770d52c@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 Traffic: ESPin=0B ESPout=273B ESPmax=0B 000 #3: "labeled"[2] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28528s; REPLACE in 28798s; newest; IKE SA #1; idle; 000 #3: "labeled"[2] 192.1.2.23 esp.57b81ae4@192.1.2.23 esp.ed57f681@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 Traffic: ESPin=164B ESPout=0B ESPmax=0B [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/ipsec-look.sh ==== cut ==== DUMP IN: OUTPUT/west.ipsec-look.888.log ==== tuc ==== west Sat May 14 13:34:46 EDT 2022 XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xed57f681 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x1353edc4ed693b94640a1f219e82ffd62f20495108b73980c23c67093ff023b195ff1c31 128 anti-replay esn context: seq-hi 0x0, seq 0x3, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000007 security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0x57b81ae4 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x7d2178026ffc1eb0b2fa89832e49a8ff936b5f3c382315bb6a443c654add84941ae73d4e 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xa770d52c reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xe8f1a1a0c27a11e55ba046b02fb38bac1e7191ec3beb37b404216a34d276f6bede394f62 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0x141380a2 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x846724c9d9f3fa23ef95b584632a5c45a7a8ae92d3672b3599154613c988b0f2856d8900 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x5 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 XFRM policy: src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir fwd priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir in priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 security context system_u:object_r:ipsec_spd_t:s0 dir out priority 1753281 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid 16389 mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 proto static 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 proto static onlink 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# # let another on-demand label establish [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo "quit" | runcon -u system_u -r system_r -t sshd_t nc -w 50 -vvv 192.1.2.23 22 2>&1 | sed "s/received in .*$/received .../" Ncat: Version 7.92 ( https://nmap.org/ncat ) NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt. NCAT DEBUG: Unable to load trusted CA certificates from /usr/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory libnsock nsock_iod_new2(): nsock_iod_new (IOD #1) libnsock nsock_connect_tcp(): TCP connection requested to 192.1.2.23:22 (IOD #1) EID 8 libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.1.2.23:22] Ncat: Connected to 192.1.2.23:22. libnsock nsock_iod_new2(): nsock_iod_new (IOD #2) libnsock nsock_read(): Read request from IOD #1 [192.1.2.23:22] (timeout: -1ms) EID 18 libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26 libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit. libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.1.2.23:22] libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.1.2.23:22] libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42 libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified] libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.1.2.23:22] (21 bytes): SSH-2.0-OpenSSH_8.7.. SSH-2.0-OpenSSH_8.7 libnsock nsock_readbytes(): Read request for 0 bytes from IOD #1 [192.1.2.23:22] EID 50 libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [192.1.2.23:22] (36 bytes): Invalid SSH identification string... Invalid SSH identification string. libnsock nsock_readbytes(): Read request for 0 bytes from IOD #1 [192.1.2.23:22] EID 58 libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [192.1.2.23:22] Ncat: 5 bytes sent, 57 bytes received ... libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1) libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2) [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/wait-for.sh --match 'labeled..3.' ipsec trafficstatus 006 #4: "labeled"[3] 192.1.2.23, type=ESP, add_time=0, inBytes=377, outBytes=429, id='@east' [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# # there should be no shunts [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec shuntstatus 000 Bare Shunt list: 000 [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ipsec showstates 000 #1: "labeled":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27802s; REPLACE in 28795s; newest; idle; 000 #2: "labeled"[1] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28044s; REPLACE in 28796s; newest; IKE SA #1; idle; 000 #2: "labeled"[1] 192.1.2.23 esp.141380a2@192.1.2.23 esp.a770d52c@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 Traffic: ESPin=0B ESPout=273B ESPmax=0B 000 #3: "labeled"[2] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28527s; REPLACE in 28797s; newest; IKE SA #1; idle; 000 #3: "labeled"[2] 192.1.2.23 esp.57b81ae4@192.1.2.23 esp.ed57f681@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 Traffic: ESPin=164B ESPout=0B ESPmax=0B 000 #4: "labeled"[3] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27836s; REPLACE in 28798s; newest; IKE SA #1; idle; 000 #4: "labeled"[3] 192.1.2.23 esp.a6a3e318@192.1.2.23 esp.8263439c@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 Traffic: ESPin=377B ESPout=429B ESPmax=0B [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# ../../guestbin/ipsec-look.sh ==== cut ==== DUMP IN: OUTPUT/west.ipsec-look.942.log ==== tuc ==== west Sat May 14 13:34:48 EDT 2022 XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0x8263439c reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x82e06182c5e2c1ea844864c6388d26b9fa5017164e2d31522cc95d0f4cc78f3097f87ab4 128 anti-replay esn context: seq-hi 0x0, seq 0x6, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 0000003f security context system_u:system_r:sshd_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xa6a3e318 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xf9d9b5a9ab86fed059fd831d4c47dada9def388f0c89a1ae51701ce754cdc4f59443fea4 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x8 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context system_u:system_r:sshd_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xed57f681 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x1353edc4ed693b94640a1f219e82ffd62f20495108b73980c23c67093ff023b195ff1c31 128 anti-replay esn context: seq-hi 0x0, seq 0x3, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000007 security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0x57b81ae4 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x7d2178026ffc1eb0b2fa89832e49a8ff936b5f3c382315bb6a443c654add84941ae73d4e 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xa770d52c reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0xe8f1a1a0c27a11e55ba046b02fb38bac1e7191ec3beb37b404216a34d276f6bede394f62 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0x141380a2 reqid 16389 mode tunnel replay-window 0 flag af-unspec esn aead rfc4106(gcm(aes)) 0x846724c9d9f3fa23ef95b584632a5c45a7a8ae92d3672b3599154613c988b0f2856d8900 128 anti-replay esn context: seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x5 replay_window 128, bitmap-length 4 00000000 00000000 00000000 00000000 security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 XFRM policy: src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir fwd priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.23/32 dst 192.1.2.45/32 security context system_u:object_r:ipsec_spd_t:s0 dir in priority 1753281 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid 16389 mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 security context system_u:object_r:ipsec_spd_t:s0 dir out priority 1753281 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid 16389 mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 proto static 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 proto static onlink 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# echo done done [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive]# >>>>>>>>>>cut>>>>>>>>>> final.sh <<<<<<<<<>>>>>>>>> post-mortem >>>>>>>>>>../../guestbin/post-mortem.sh PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 778 778 778 ? -1 Ssl 0 0:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork : : checking shutting down pluto : ipsec whack --shutdown pidof pluto PASS: shutting down pluto : : checking core files : PASS: core files : : checking memory leaks : PASS: memory leaks : : checking reference leaks : PASS: reference leaks : : checking xfrm errors : ERROR: west: XfrmOutNoStates 7 IGNORE: xfrm errors : : checking state/policy entries : PASS: state/policy entries : : checking selinux audit records : type=AVC msg=audit(1652549686.963:185): avc: denied { entrypoint } for pid=925 comm="runcon" path="/usr/bin/ncat" dev="vda1" ino=8666114 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1652549686.980:186): avc: denied { name_connect } for pid=925 comm="nc" dest=22 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1652549687.158:187): avc: denied { setcontext } for pid=778 comm="pluto" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=association permissive=1 FAIL: selinux audit records saving rules in OUTPUT/post-mortem.west.audit2allow.rules require { type unconfined_service_t; type sshd_t; class association setcontext; } #============= sshd_t ============== corecmd_bin_entry_type(sshd_t) corenet_tcp_connect_ssh_port(sshd_t) #============= unconfined_service_t ============== allow unconfined_service_t sshd_t:association setcontext; : : unload any selinux modules : Unloading ipsecspd semodule -r ipsecspd libsemanage.semanage_direct_remove_key: Removing last ipsecspd module (no other ipsecspd module exists at another priority). [ 56.146208] SELinux: Converting 266 SID table entries... [ 56.154827] SELinux: policy capability network_peer_controls=1 [ 56.155727] SELinux: policy capability open_perms=1 [ 56.156463] SELinux: policy capability extended_socket_class=1 [ 56.157214] SELinux: policy capability always_check_network=0 [ 56.157942] SELinux: policy capability cgroup_seclabel=1 [ 56.158629] SELinux: policy capability nnp_nosuid_transition=1 [ 56.159410] SELinux: policy capability genfs_seclabel_symlinks=0 [ 56.160216] SELinux: policy capability ioctl_skip_cloexec=0 [root@west ikev2-labeled-ipsec-03-multi-acquires-permissive 1]# >>>>>>>>>>cut>>>>>>>>>> done <<<<<<<<<