Bug 1400698

   Hello,

I've just fixed the mentioned bugs in both Security guides (RHEL7 and RHEL6) [1] [2].

Paul, could you please check the chapter and tell me if there is any other fix or update necessary?

Thank you.

[1] http://jenkinscat.gsslab.pnq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-7-Security_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#sec-Securing_Virtual_Private_Networks

[2] http://jenkinscat.gsslab.pnq.redhat.com:8080/job/doc-Red_Hat_Enterprise_Linux-6-Security_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html


(In reply to Jim Wildman from comment #0)
> Description of problem:
> At numerous places in section 4.7 of the Security Guide, the term
> 
> righsubnet 
> 
> is used in configuration examples.  The correct word is
> 
> rightsubnet
> 
> Also the phrase 
> 
> authby=rsasigkey
> 
> is invalid.  The correct syntax is
> 
> authby=rsasig

For rhel6 feedback, see rhbz# 1324112. Some of those comments also apply to the rhel7 text (eg about PSKs)

for rhel7:

ipsec initnss is run on first start of libreswan if it was not run, so you do not need to specify this. However, it is still needed if you want to set an nss password.

note for rhel-7.4, based on libreswan 3.19, ipsec newhostkey has been updated and it no longer needs to have an entry in the secrets file, so that part of the option can then be removed. But it is harmless if left in.

for rhel-7.4 as well, showhostkey works slighly different. It will be:

ipsec showhostkey --list
ipsec showhostkey --left --rsasigkey XXXXX  (from list output)

the "#" also does not need to be removed from ipsec.conf anymore in our current rhel-7.3 version. It is also uncommented to include all *.conf files.

for rhel-7.4 we should add:

- IKEv2 roadwarriors setup
- Enterprise cloud mesh setup

Thank you, Paul.

I'll close this BZ (related to typos) as soon as the updated version of the Security Guide will be published on the Customer Portal.

I've already opened BZ [1] for the suggested updates.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1412988

(In reply to Paul Wouters from comment #3)
> For rhel6 feedback, see rhbz# 1324112. Some of those comments also apply to
> the rhel7 text (eg about PSKs)
> 
> for rhel7:
> 
> ipsec initnss is run on first start of libreswan if it was not run, so you
> do not need to specify this. However, it is still needed if you want to set
> an nss password.
> 
> note for rhel-7.4, based on libreswan 3.19, ipsec newhostkey has been
> updated and it no longer needs to have an entry in the secrets file, so that
> part of the option can then be removed. But it is harmless if left in.
> 
> for rhel-7.4 as well, showhostkey works slighly different. It will be:
> 
> ipsec showhostkey --list
> ipsec showhostkey --left --rsasigkey XXXXX  (from list output)
> 
> the "#" also does not need to be removed from ipsec.conf anymore in our
> current rhel-7.3 version. It is also uncommented to include all *.conf files.
> 
> for rhel-7.4 we should add:
> 
> - IKEv2 roadwarriors setup
> - Enterprise cloud mesh setup

The fix is published on the Customer Portal [1]

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html