Would it be possible to add IPsec-labeling to the roadmap?
It allows you to separate different security levels with IPsec as a network solution for Multi-level Security
Libreswan has something like this, and I was wondering if we could add something like that to Strongswan
Here's a couple relevant links -
Whether labeled IPsec should be enabled or not; acceptable values are no (the default) and yes. See also policy-label= and secctx-attr-type=
The string representation of an access control security label that is interpreted by the LSM (e.g. SELinux) for use with Labeled IPsec. See also labeled-ipsec= and secctx-attr-type=. For example, policy-label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
Merge branch 'labeled-ipsec'
This adds support for labeled IPsec with SELinux (and a proprietary mode
that can be used to match child configs). For SELinux support, compile
Other changes include a combined start action (trap|start), avoiding
initiating duplicate CHILD_SAs, updating reqids if dynamic traffic
selectors change, removing reqid errors on policy updates, or querying
specific CHILD_SAs with vici's list-sas command.