Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 19/03/2015 15:01, James Lay a écrit : > On 2015-03-19 07:22 AM, Fabrice Barconnière wrote: Hello, > > I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and > connections are OK. But when i execute "ipsec statusall" command, > it replies : "reading from socket failed: Permission denied" > > When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor > profile, the command replies correctly. > > This is the default AppArmor profile : > > #include > > /usr/lib/ipsec/stroke flags=(audit) { #include > > /etc/strongswan.conf r, /etc/strongswan.d/r, > /etc/strongswan.d/** r, > > /run/charon.ctl rw, } > > I don't find what to add to make the command replies correctly. > > Any idea ? > > > Thanks, Fabrice Barconnière >> ___ Users mailing >> list Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users > > > I am running the same version and I do not see this > issue...sanitized messages below: > > [07:56:06 :~/careful$] dpkg -l | grep strong ii libstrongswan > 5.1.2-0ubuntu2.2 i386 strongSwan utility and crypto library > ii strongswan 5.1.2-0ubuntu2.2 all > IPsec VPN solution metapackage ii strongswan-ike 5.1.2-0ubuntu2.2 > i386 strongSwan Internet Key Exchange (v2) daemon ii > strongswan-plugin-openssl5.1.2-0ubuntu2.2 i386 > strongSwan plugin for OpenSSL ii strongswan-plugin-xauth-generic > 5.1.2-0ubuntu2.2 i386 strongSwan plugin for the generic > XAuth backend ii strongswan-starter > 5.1.2-0ubuntu2.2 i386 strongSwan daemon starter and > configuration file parser > > [07:57:04 :~/careful$] sudo ipsec statusall Status of IKE charon > daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic, i686): uptime: > 7 days, since Mar 12 05:50:38 2015 malloc: sbrk 675840, mmap 0, > used 184720, free 491120 worker threads: 11 of 16 idle, 5/0/0/0 > working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon > test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 > revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc > cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default > stroke updown eap-identity xauth-generic addrblock Virtual IP > pools (size/online/offline): x.x.x.x: 1/0/0 Listening IP > addresses: x.x.x.x x.x.x.x Connections: rw: %any...%any IKEv1/2 > rw: local: [C=CH, O=strongSwan, CN=] rw:cert: "C=CH, > O=strongSwan, CN=] rw: remote: uses public key authentication rw: > child: 192.168.1.0/24 === dynamic TUNNEL Security Associations (0 > up, 0 connecting): none > > > Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686) > > * Documentation: https://help.ubuntu.com/ > > System information as of Thu Mar 19 05:03:50 MDT 2015 > > System load: 1.66 Processes: 206 Usage of > /: 22.5% of 73.21GB Users logged in: 1 Memory usage: 87% IP > address for eth0: x.x.x.x Swap usage: 9% IP > address for ppp0: x.x.x.x > > > Graph this data and manage this system at: > https://landscape.canonical.com/ > > 0 packages can be updated. 0 updates are security updates. > > James ___ Users > mailing list Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users EOLE project[1] is an Ubuntu based distribution. We certainly do something wrong. When I try strongSwan on a Trusty fresh installation, there is no problem. We are looking for help on askubuntu site. Thanks for the replies. Footnotes : [1] http://eole.orion.education.fr/diff/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVD9xTAAoJEMv1LpJod2ZFGBUH/1nIQERUgWl/lWrDt/0lSKhN 4dclcQEuSGM682v5r1o5zdhKMt1w8kPkcXlR8Y/OoR3VLTHLzzl5MjTnY2EYGnfA dUPGqhycFWrnx05vZ0lQyr1aFGJpucHimxgA4cNC7XAdIyvUw5oYJ7K2+cK3bRyP uIyiPO2Jv4JBjdkMO6yUDtmZT3wkMoAxz8BHfUNxU8MX6BU3TuDHhaOYbbRapggi Cu8rSK7NyDQPRbwtnze6s7mgzXCHI2za+V1aGrlhfp8kEdSshuECJ1TjEYmOpUm4 r8k+QuvI2yqlz6qJPQI1t0gJoo8e8THgbLPdCkJPoRiAP2fYaxy7laRijIaD2I4= =W6et -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
On 2015-03-19 07:22 AM, Fabrice Barconnière wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and connections are OK. But when i execute "ipsec statusall" command, it replies : "reading from socket failed: Permission denied" When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor profile, the command replies correctly. This is the default AppArmor profile : #include /usr/lib/ipsec/stroke flags=(audit) { #include /etc/strongswan.conf r, /etc/strongswan.d/r, /etc/strongswan.d/** r, /run/charon.ctl rw, } I don't find what to add to make the command replies correctly. Any idea ? Thanks, Fabrice Barconnière -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek 0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9 riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF 2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY= =C0EN -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users I am running the same version and I do not see this issue...sanitized messages below: [07:56:06 :~/careful$] dpkg -l | grep strong ii libstrongswan5.1.2-0ubuntu2.2 i386 strongSwan utility and crypto library ii strongswan 5.1.2-0ubuntu2.2 all IPsec VPN solution metapackage ii strongswan-ike 5.1.2-0ubuntu2.2 i386 strongSwan Internet Key Exchange (v2) daemon ii strongswan-plugin-openssl5.1.2-0ubuntu2.2 i386 strongSwan plugin for OpenSSL ii strongswan-plugin-xauth-generic 5.1.2-0ubuntu2.2 i386 strongSwan plugin for the generic XAuth backend ii strongswan-starter 5.1.2-0ubuntu2.2 i386 strongSwan daemon starter and configuration file parser [07:57:04 :~/careful$] sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic, i686): uptime: 7 days, since Mar 12 05:50:38 2015 malloc: sbrk 675840, mmap 0, used 184720, free 491120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity xauth-generic addrblock Virtual IP pools (size/online/offline): x.x.x.x: 1/0/0 Listening IP addresses: x.x.x.x x.x.x.x Connections: rw: %any...%any IKEv1/2 rw: local: [C=CH, O=strongSwan, CN=] rw:cert: "C=CH, O=strongSwan, CN=] rw: remote: uses public key authentication rw: child: 192.168.1.0/24 === dynamic TUNNEL Security Associations (0 up, 0 connecting): none Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686) * Documentation: https://help.ubuntu.com/ System information as of Thu Mar 19 05:03:50 MDT 2015 System load: 1.66 Processes: 206 Usage of /: 22.5% of 73.21GB Users logged in: 1 Memory usage: 87%IP address for eth0: x.x.x.x Swap usage: 9% IP address for ppp0: x.x.x.x Graph this data and manage this system at: https://landscape.canonical.com/ 0 packages can be updated. 0 updates are security updates. James ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Fabrice, On 03/19/2015 09:22 AM, Fabrice Barconnière wrote: > I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and > connections are OK. > But when i execute "ipsec statusall" command, it replies : > "reading from socket failed: Permission denied" > > When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor > profile, the command replies correctly. Are you running with reduced privileges [1] by any chance? If yes, then Ubuntu has almost everything in place (properly compiled, user "strongswan" created by the package, etc). The only missing pieces are little tweaks to the charon and stroke Apparmor profiles. Those are available as patches at [2]. Regards, Simon 1: https://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges 2: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJVCtAxXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3 MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0UGQP/17EChoBdN0g+BusuoKxhpVr jOM/6fXTSaySziBjvXZGGHLox35z4xFWR2nSHhKM2p/mKFfsAQ/M+zGCFgyXMTYr 8DR1jowMbeXj6K0yh8DZOfgxhptV8+b8lrP8S7mz1Ba9zLM0vZVGu+xryXIO/dUD Q3ceW2HIB3UEg5uTumuuyxUsW4fHgNLZcVhMQvxZvHLE4TaOxD1WYfBtFnOnDwBd eemDilbADnXU8Bx+HnyLHxqb+8Y6wNOpat/XaonSckgG+5Q7Sm95X4Qkj4wy/m3h ydLPW4PZFvBMeBqcVF6iwcVyGHeKSF3qxt+fQIyABHpcXwkI2ukl8QiZyLY1MI9w bJEq4cTBIizMcDLj8rkXgm1FWiUcXnVUMGnJxaBZPlBQJgu3oOwfvDUTFeB6I3FV DlOd1v5twqpBDwwTB8lp6KsJGduIqPFSOWI5VnPUIpG4QtL2TsHGmibytPixe5MC H+V6JKo8NC6el7Z5rWPhQkPxErTcFerDrIoMJmD9dKW3A1IlVWAbHthDSSxueY8j ASR/y3Qr8wW/NH4zMiP6Jnlqc0vzIc4/ibkrQsVKbdBuDg6kMfOYlUoqKcEhwi7/ RyqD0FszIGvQW9esE/4KLZTGjrRiJmmqYJ+Kf4Izt2H4dNXP8BwHCcTCJTHEs6Ur Y+f5TqVqOaaqhkfxFLAb =VwaL -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
Hi Fabrice, > But when i execute "ipsec statusall" command, it replies : > "reading from socket failed: Permission denied" > > When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor > profile, the command replies correctly. We don't ship any AppArmor profiles from upstream, so you most likely should report this issue to Ubuntu. > /run/charon.ctl rw, Not sure if/how this is symlinked and what paths have been configured in Ubuntu, but usually that socket is opened over /var/run/charon.ctl. Regards Martin signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and connections are OK. But when i execute "ipsec statusall" command, it replies : "reading from socket failed: Permission denied" When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor profile, the command replies correctly. This is the default AppArmor profile : #include /usr/lib/ipsec/stroke flags=(audit) { #include /etc/strongswan.conf r, /etc/strongswan.d/r, /etc/strongswan.d/** r, /run/charon.ctl rw, } I don't find what to add to make the command replies correctly. Any idea ? Thanks, Fabrice Barconnière -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek 0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9 riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF 2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY= =C0EN -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users