Bug 1300751 - IKEv2 support for GSSAPI/Kerberos (requires new RFC)
IKEv2 support for GSSAPI/Kerberos (requires new RFC)
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan (Show other bugs)
7.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Paul Wouters
BaseOS QE Security Team
:
Depends On: 1300750
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-21 10:48 EST by Paul Wouters
Modified: 2017-08-02 03:00 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1300750
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2016-01-21 10:48:33 EST
+++ This bug was initially created as a clone of Bug #1300750 +++

Implement GSSAPI/Kerberos similarly to the IKEv1 version from https://tools.ietf.org/html/draft-ietf-ipsec-isakmp-gss-auth-07

go through the IPsecME WG to get it specified as RFC.
Comment 3 Ondrej Moriš 2017-03-15 09:20:09 EDT
Paul, is this related to rebase item "GSSAPI authentication for cloud/mesh encryption"? Is it the same thing? In either case, could you please describe it briefly from the testing point of view (if possible)?
Comment 4 Paul Wouters 2017-03-16 09:18:07 EDT
Yes it is, but it did not yet come in via a rebase. It will come in as a patch ASAP.

From a testing point of view, you need to have two machines be part of a freeipa domain and then configure a conn using:

conn
  left=1.2.3.4
  right=5.6.7.8
  leftid=@fqdn1
  rightid=@fqdn2
  authby=gssapi
  [other params]
Comment 6 Ondrej Moriš 2017-05-02 12:49:49 EDT
Ping :), are you still feeling optimistic about this in 7.4? We are almost in Beta now (this week). Wouldn't be better to let it wait for 7.5?

Note You need to log in before you can comment on or make changes to this bug.