Simon, thank you.
Looks like lowering the amount of socket helps.
BR,
Ruslan.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1549436
Title:
AppArmor kills StronSwan daemon
Hello Simon,
I'm not really sure should I post it here, report a new bug, or report a
bug to strongswan project directly.
I can reproduce this buffer overflow with 100% probability. It is a
resource independent and strongswan fail as on t1.micro or at any
instance with more resources.
Buffer
Looks like I've found the reason why charon want to open /dev/tty - just
to say about buffer overflow error:
01[IKE] CHILD_SA ikev2-with-eap-loadtest{221} established with SPIs c26fb333_i
c1ac3989_o and TS 172.31.59.95/32 === 10.0.0.221/32
16[IKE] CHILD_SA ikev2-with-eap-loadtest{222}
> I have no idea what can cause this access to /dev/tty. I never ran into
> this problem on my own server which is similar minus the EAP/RADIUS
> part, I use xauth-generic only.
xauth-eap works in a different way. It takes clear text password from client
and makes EAP request to a radius server
The server serves only incoming VPN requests, it is for mobile road-
warriors. And the error does not occur right after starting a
strongswan or bringing tunnels up. So it makes no sense to run it with
auto=add or not.
Strongswan is serving clients ok. It is working for a long time until a
first
Hello Simon,
No, I do not have encrypted certs and StrongSwan works well as a service
without user interaction:
# sudo ipsec start --nofork
Starting strongSwan 5.1.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-48-generic,
x86_64)
00[CFG] loading ca
Public bug reported:
At some conditions AppArmor Deny access of /usr/lib/ipsec/charon to a
/dev/tty, which causes a daemon restart:
Feb 24 07:06:04 vpn-01 kernel: [548017.000283] type=1400
audit(1456297564.902:21): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon"