Feature #3075
IPsec Labelling
Description
Hi,
Would it be possible to add IPsec-labeling to the roadmap?
It allows you to separate different security levels with IPsec as a network solution for Multi-level Security
Libreswan has something like this, and I was wondering if we could add something like that to Strongswan
Here's a couple relevant links -
IPsec as a MLS solution: http://selinuxproject.org/page/NB_Networking
Libreswan: https://libreswan.org/man/ipsec.conf.5.html
labeled-ipsec
Whether labeled IPsec should be enabled or not; acceptable values are no (the default) and yes. See also policy-label= and secctx-attr-type=
policy-label
The string representation of an access control security label that is interpreted by the LSM (e.g. SELinux) for use with Labeled IPsec. See also labeled-ipsec= and secctx-attr-type=. For example, policy-label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
Merge branch 'labeled-ipsec'
This adds support for labeled IPsec with SELinux (and a proprietary mode
that can be used to match child configs). For SELinux support, compile
with --enable-selinux.
Other changes include a combined start action (trap|start), avoiding
initiating duplicate CHILD_SAs, updating reqids if dynamic traffic
selectors change, removing reqid errors on policy updates, or querying
specific CHILD_SAs with vici's list-sas command.
Closes #3075