Re: [strongSwan] route-client error
up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Seems that the PLUTO_VERSION environment variable is not set. In ipsec.conf, I added : leftupdown=sudo ipsec _updown Try to add -E to sudo to preserve ENV variables. In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec To allow -E, add SETENV: after NOPASSWD:. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] route-client error
Hi, I'm sorry to bother you again on this topic, but I really would like to get it to work as non-privileged user. Charon on the other hand, works like a charm, sadly pluto doesn't. This is my setup now : strongswan runs as user vpn In ipsec.conf, I added : leftupdown=sudo ipsec _updown In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec Still I get the error below on the interface version. Can you please help me on this ? Any idea is appreciated. thank you very much kind regards, Claude On Friday 09 July 2010 11:32:19 Claude Tompers wrote: Hi, I still get that unknown interface version error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: Hi, I've had it already compiled with --with-capabilities=libcap . I've tried sudo'ing and it has changed something, but I think there are still missing some bits. Here's the new log error : Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client command exited with status 2 Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno 3: No such process Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe expired) Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe expired) kind regards Claude On Friday 02 July 2010 12:13:21 Martin Willi wrote: Hi, I've compiled strongswan with user vpn and group vpn. If you use non-root users, you'll need support for capability handling too. Add --with-capabilities=libcap to ./configure. route-client output: Not sufficient rights to flush It is not possible to propagate the capabilities to the updown script. Pluto uses the updown script not only for firewalling, but also for route installation. You'll have to run the updown script with root privileges. Never tried it, but file system based capability settings might work. Another alternative is to define leftupdown=sudo ipsec _updown and configure sudo accordingly. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] route-client error
Hi, I still get that unknown interface version error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: Hi, I've had it already compiled with --with-capabilities=libcap . I've tried sudo'ing and it has changed something, but I think there are still missing some bits. Here's the new log error : Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client command exited with status 2 Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno 3: No such process Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe expired) Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe expired) kind regards Claude On Friday 02 July 2010 12:13:21 Martin Willi wrote: Hi, I've compiled strongswan with user vpn and group vpn. If you use non-root users, you'll need support for capability handling too. Add --with-capabilities=libcap to ./configure. route-client output: Not sufficient rights to flush It is not possible to propagate the capabilities to the updown script. Pluto uses the updown script not only for firewalling, but also for route installation. You'll have to run the updown script with root privileges. Never tried it, but file system based capability settings might work. Another alternative is to define leftupdown=sudo ipsec _updown and configure sudo accordingly. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users