Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le 19/03/2015 15:01, James Lay a écrit :
> On 2015-03-19 07:22 AM, Fabrice Barconnière wrote: Hello,
>
> I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and
> connections are OK. But when i execute "ipsec statusall" command,
> it replies : "reading from socket failed: Permission denied"
>
> When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
> profile, the command replies correctly.
>
> This is the default AppArmor profile :
>
> #include
>
> /usr/lib/ipsec/stroke flags=(audit) { #include
>
> /etc/strongswan.conf r, /etc/strongswan.d/r,
> /etc/strongswan.d/** r,
>
> /run/charon.ctl rw, }
>
> I don't find what to add to make the command replies correctly.
>
> Any idea ?
>
>
> Thanks, Fabrice Barconnière
>> ___ Users mailing
>> list Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> I am running the same version and I do not see this
> issue...sanitized messages below:
>
> [07:56:06 :~/careful$] dpkg -l | grep strong ii libstrongswan
> 5.1.2-0ubuntu2.2 i386 strongSwan utility and crypto library
> ii strongswan 5.1.2-0ubuntu2.2 all
> IPsec VPN solution metapackage ii strongswan-ike 5.1.2-0ubuntu2.2
> i386 strongSwan Internet Key Exchange (v2) daemon ii
> strongswan-plugin-openssl5.1.2-0ubuntu2.2 i386
> strongSwan plugin for OpenSSL ii strongswan-plugin-xauth-generic
> 5.1.2-0ubuntu2.2 i386 strongSwan plugin for the generic
> XAuth backend ii strongswan-starter
> 5.1.2-0ubuntu2.2 i386 strongSwan daemon starter and
> configuration file parser
>
> [07:57:04 :~/careful$] sudo ipsec statusall Status of IKE charon
> daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic, i686): uptime:
> 7 days, since Mar 12 05:50:38 2015 malloc: sbrk 675840, mmap 0,
> used 184720, free 491120 worker threads: 11 of 16 idle, 5/0/0/0
> working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon
> test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509
> revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc
> cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
> stroke updown eap-identity xauth-generic addrblock Virtual IP
> pools (size/online/offline): x.x.x.x: 1/0/0 Listening IP
> addresses: x.x.x.x x.x.x.x Connections: rw: %any...%any IKEv1/2
> rw: local: [C=CH, O=strongSwan, CN=] rw:cert: "C=CH,
> O=strongSwan, CN=] rw: remote: uses public key authentication rw:
> child: 192.168.1.0/24 === dynamic TUNNEL Security Associations (0
> up, 0 connecting): none
>
>
> Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
>
> * Documentation: https://help.ubuntu.com/
>
> System information as of Thu Mar 19 05:03:50 MDT 2015
>
> System load: 1.66 Processes: 206 Usage of
> /: 22.5% of 73.21GB Users logged in: 1 Memory usage: 87% IP
> address for eth0: x.x.x.x Swap usage: 9% IP
> address for ppp0: x.x.x.x
>
>
> Graph this data and manage this system at:
> https://landscape.canonical.com/
>
> 0 packages can be updated. 0 updates are security updates.
>
> James ___ Users
> mailing list Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
EOLE project[1] is an Ubuntu based distribution. We certainly do
something wrong. When I try strongSwan on a Trusty fresh installation,
there is no problem.
We are looking for help on askubuntu site.
Thanks for the replies.
Footnotes :
[1] http://eole.orion.education.fr/diff/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEcBAEBAgAGBQJVD9xTAAoJEMv1LpJod2ZFGBUH/1nIQERUgWl/lWrDt/0lSKhN
4dclcQEuSGM682v5r1o5zdhKMt1w8kPkcXlR8Y/OoR3VLTHLzzl5MjTnY2EYGnfA
dUPGqhycFWrnx05vZ0lQyr1aFGJpucHimxgA4cNC7XAdIyvUw5oYJ7K2+cK3bRyP
uIyiPO2Jv4JBjdkMO6yUDtmZT3wkMoAxz8BHfUNxU8MX6BU3TuDHhaOYbbRapggi
Cu8rSK7NyDQPRbwtnze6s7mgzXCHI2za+V1aGrlhfp8kEdSshuECJ1TjEYmOpUm4
r8k+QuvI2yqlz6qJPQI1t0gJoo8e8THgbLPdCkJPoRiAP2fYaxy7laRijIaD2I4=
=W6et
-END PGP SIGNATURE-
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
On 2015-03-19 07:22 AM, Fabrice Barconnière wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and
connections are OK.
But when i execute "ipsec statusall" command, it replies :
"reading from socket failed: Permission denied"
When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
profile, the command replies correctly.
This is the default AppArmor profile :
#include
/usr/lib/ipsec/stroke flags=(audit) {
#include
/etc/strongswan.conf r,
/etc/strongswan.d/r,
/etc/strongswan.d/** r,
/run/charon.ctl rw,
}
I don't find what to add to make the command replies correctly.
Any idea ?
Thanks,
Fabrice Barconnière
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn
j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek
0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL
UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9
riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF
2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY=
=C0EN
-END PGP SIGNATURE-
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
I am running the same version and I do not see this issue...sanitized
messages below:
[07:56:06 :~/careful$] dpkg -l | grep strong
ii libstrongswan5.1.2-0ubuntu2.2
i386 strongSwan utility and crypto library
ii strongswan 5.1.2-0ubuntu2.2
all IPsec VPN solution metapackage
ii strongswan-ike 5.1.2-0ubuntu2.2
i386 strongSwan Internet Key Exchange (v2) daemon
ii strongswan-plugin-openssl5.1.2-0ubuntu2.2
i386 strongSwan plugin for OpenSSL
ii strongswan-plugin-xauth-generic 5.1.2-0ubuntu2.2
i386 strongSwan plugin for the generic XAuth backend
ii strongswan-starter 5.1.2-0ubuntu2.2
i386 strongSwan daemon starter and configuration file
parser
[07:57:04 :~/careful$] sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic,
i686):
uptime: 7 days, since Mar 12 05:50:38 2015
malloc: sbrk 675840, mmap 0, used 184720, free 491120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity xauth-generic addrblock
Virtual IP pools (size/online/offline):
x.x.x.x: 1/0/0
Listening IP addresses:
x.x.x.x
x.x.x.x
Connections:
rw: %any...%any IKEv1/2
rw: local: [C=CH, O=strongSwan, CN=]
rw:cert: "C=CH, O=strongSwan, CN=]
rw: remote: uses public key authentication
rw: child: 192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Thu Mar 19 05:03:50 MDT 2015
System load: 1.66 Processes: 206
Usage of /: 22.5% of 73.21GB Users logged in: 1
Memory usage: 87%IP address for eth0: x.x.x.x
Swap usage: 9% IP address for ppp0: x.x.x.x
Graph this data and manage this system at:
https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
James
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Fabrice, On 03/19/2015 09:22 AM, Fabrice Barconnière wrote: > I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and > connections are OK. > But when i execute "ipsec statusall" command, it replies : > "reading from socket failed: Permission denied" > > When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor > profile, the command replies correctly. Are you running with reduced privileges [1] by any chance? If yes, then Ubuntu has almost everything in place (properly compiled, user "strongswan" created by the package, etc). The only missing pieces are little tweaks to the charon and stroke Apparmor profiles. Those are available as patches at [2]. Regards, Simon 1: https://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges 2: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1333655 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJVCtAxXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1NjVDMzc0QUZCQUQyRkM2MjBDNkMxQkI3 MkZFMERBRTkwMEIyQzM0AAoJEHL+Da6QCyw0UGQP/17EChoBdN0g+BusuoKxhpVr jOM/6fXTSaySziBjvXZGGHLox35z4xFWR2nSHhKM2p/mKFfsAQ/M+zGCFgyXMTYr 8DR1jowMbeXj6K0yh8DZOfgxhptV8+b8lrP8S7mz1Ba9zLM0vZVGu+xryXIO/dUD Q3ceW2HIB3UEg5uTumuuyxUsW4fHgNLZcVhMQvxZvHLE4TaOxD1WYfBtFnOnDwBd eemDilbADnXU8Bx+HnyLHxqb+8Y6wNOpat/XaonSckgG+5Q7Sm95X4Qkj4wy/m3h ydLPW4PZFvBMeBqcVF6iwcVyGHeKSF3qxt+fQIyABHpcXwkI2ukl8QiZyLY1MI9w bJEq4cTBIizMcDLj8rkXgm1FWiUcXnVUMGnJxaBZPlBQJgu3oOwfvDUTFeB6I3FV DlOd1v5twqpBDwwTB8lp6KsJGduIqPFSOWI5VnPUIpG4QtL2TsHGmibytPixe5MC H+V6JKo8NC6el7Z5rWPhQkPxErTcFerDrIoMJmD9dKW3A1IlVWAbHthDSSxueY8j ASR/y3Qr8wW/NH4zMiP6Jnlqc0vzIc4/ibkrQsVKbdBuDg6kMfOYlUoqKcEhwi7/ RyqD0FszIGvQW9esE/4KLZTGjrRiJmmqYJ+Kf4Izt2H4dNXP8BwHCcTCJTHEs6Ur Y+f5TqVqOaaqhkfxFLAb =VwaL -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
Hi Fabrice, > But when i execute "ipsec statusall" command, it replies : > "reading from socket failed: Permission denied" > > When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor > profile, the command replies correctly. We don't ship any AppArmor profiles from upstream, so you most likely should report this issue to Ubuntu. > /run/charon.ctl rw, Not sure if/how this is symlinked and what paths have been configured in Ubuntu, but usually that socket is opened over /var/run/charon.ctl. Regards Martin signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and
connections are OK.
But when i execute "ipsec statusall" command, it replies :
"reading from socket failed: Permission denied"
When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
profile, the command replies correctly.
This is the default AppArmor profile :
#include
/usr/lib/ipsec/stroke flags=(audit) {
#include
/etc/strongswan.conf r,
/etc/strongswan.d/r,
/etc/strongswan.d/** r,
/run/charon.ctl rw,
}
I don't find what to add to make the command replies correctly.
Any idea ?
Thanks,
Fabrice Barconnière
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn
j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek
0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL
UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9
riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF
2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY=
=C0EN
-END PGP SIGNATURE-
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
