> I have no idea what can cause this access to /dev/tty. I never ran into > this problem on my own server which is similar minus the EAP/RADIUS > part, I use xauth-generic only. xauth-eap works in a different way. It takes clear text password from client and makes EAP request to a radius server (in my case EAP-MSCHAPv2). It allows to store user passwords encrypted.
Quick look through the code gives many uses for stdout (as example), but I'm not an expert to analyze them (https://git.strongswan.org/?p=strongswan.git&a=search&h=ddf1fc7692889298e04a4c799bf0c2f67b61ebe9&st=grep&s=stdout). > As such, I'd recommend something like this: > dpdtimeout=15s > dpddelay=5s Thanks for notice this. > Again, not related but aren't the 2 rightsourceip= overlapping? it is a StrongSwan feature. It manages ip pool as shared in such case. You can either use rightsourceip=%poolname or just use identical definition in rightsourceip and StrongSwan will share the same pool implicitly. > I honestly don't know why charon tries to access /dev/tty. Are you able > to see that message on the console or the upstart log when the Apparmor > profile is disabled? With disabled Apparmor profile everything work pretty good. Right now I've just manage to predictably catch this error, and it is not related to xauth-eap module! Server 1 (where the error occur) with almost the same config. Added a load-testing section: $ sudo cat /etc/ipsec.conf | grep -v '^\s*#' | grep . config setup strictcrlpolicy=yes uniqueids = no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 inactivity = 60s dpdaction = clear dpdtimeout = 6s dpddelay = 5s conn ikev1-psk-xauth leftsubnet=0.0.0.0/0 leftfirewall=yes [email protected] leftauth=psk right=%any rightsourceip=10.0.0.0/9 rightauth=psk rightauth2=xauth-eap auto=add conn ikev2-with-eap keyexchange=ikev2 leftsubnet=0.0.0.0/0 leftfirewall=yes leftid="C=US, O=server, OU=VPN Dept, CN=test-vpn.server.name, [email protected]" leftauth=pubkey leftcert=test-vpn.server.name.pem right=%any rightsourceip=10.0.0.0/16 rightsendcert=never rightauth=eap-radius eap_identity=%identity auto=add conn ikev2-with-eap-loadtest keyexchange=ikev2 leftsubnet=0.0.0.0/0 leftfirewall=yes leftid="CN=srv, OU=load-test, O=strongSwan" leftauth=pubkey leftcert=resp.pem right=%any rightsourceip=10.0.0.0/16 rightsendcert=never rightauth=eap-radius eap_identity=%identity auto=add $ sudo cat /etc/ipsec.secrets | grep -v '^\s*#' | grep . : RSA test-vpn.server.name.pem : RSA resp.pem test-vpn.server.name : PSK "testtest" All other the same. Server 2 - load-tester: $ sudo cat /etc/ipsec.conf | grep -v '^\s*#' | grep . config setup $ sudo cat /etc/strongswan.d/charon/load-tester.conf | grep -v '^\s*#' | grep . load-tester { child_rekey = 60 delay = 500 delete_after_established = no dpd_delay = 20 eap_password = SECRET enable = yes ike_rekey = 0 init_limit = 100000 initiator_auth = eap-mschap initiator_id = loadtest-%d issuer_cert = /etc/ipsec.d/cacerts/cacert.pem ca_dir = /etc/ipsec.d/cacerts/ load = yes mode = tunnel preshared_key = test123 proposal = aes128-sha1-modp2048 request_virtual_ip = yes responder = x.x.x.x responder_auth = pubkey shutdown_when_complete = yes version = 0 addrs { } } As you can see, for load testing ikev2-with-eap is used. Under some load (about 150 users connected with interval 10ms) I can see the same errors at log: sudo cat /var/log/syslog | grep -B 3 -A 2 DENIED Feb 26 17:22:12 test-vpn-01 charon: 16[NET] received packet: from 172.31.62.150[500] to 172.31.59.95[500] (76 bytes) Feb 26 17:22:12 test-vpn-01 charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Feb 26 17:22:12 test-vpn-01 charon: 16[CFG] sending RADIUS Access-Request to server '127.0.0.1' Feb 26 17:22:12 test-vpn-01 kernel: [ 779.054434] type=1400 audit(1456507332.177:18): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=4396 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Feb 26 17:22:17 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64) Feb 26 17:22:17 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' -- Feb 26 17:26:48 test-vpn-01 charon: 06[CFG] sending RADIUS Accounting-Request to server '127.0.0.1' Feb 26 17:26:48 test-vpn-01 charon: 04[CFG] sending RADIUS Accounting-Request to server '127.0.0.1' Feb 26 17:26:48 test-vpn-01 charon: 03[CFG] sending RADIUS Accounting-Request to server '127.0.0.1' Feb 26 17:26:48 test-vpn-01 kernel: [ 1055.002410] type=1400 audit(1456507608.125:19): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=5666 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Feb 26 17:26:48 test-vpn-01 kernel: [ 1055.003152] type=1400 audit(1456507608.125:20): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=5665 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Feb 26 17:26:53 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64) Feb 26 17:26:53 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' -- Feb 26 17:56:16 test-vpn-01 charon: 05[NET] ignoring IKE_SA setup from 172.31.62.150, peer too aggressive Feb 26 17:56:16 test-vpn-01 vpn: + loadtest-141 10.0.0.127/32 == 172.31.62.150 -- 172.31.59.95 Feb 26 17:56:16 test-vpn-01 charon: 16[CFG] sending RADIUS Accounting-Request to server '127.0.0.1' Feb 26 17:56:16 test-vpn-01 kernel: [ 2823.186497] type=1400 audit(1456509376.309:21): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=7829 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Feb 26 17:56:21 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64) Feb 26 17:56:21 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' -- Feb 26 17:56:43 test-vpn-01 charon: 06[CFG] received RADIUS Accounting-Response from server '127.0.0.1' Feb 26 17:56:43 test-vpn-01 charon: 11[CFG] sending RADIUS Accounting-Request to server '127.0.0.1' Feb 26 17:56:43 test-vpn-01 charon: 13[CFG] received RADIUS Accounting-Response from server '127.0.0.1' Feb 26 17:56:43 test-vpn-01 kernel: [ 2850.013558] type=1400 audit(1456509403.137:22): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=16398 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Feb 26 17:56:48 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64) Feb 26 17:56:48 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' I can provide any additional information about this system or can do some tests. BR Ruslan. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549436 Title: AppArmor kills StronSwan daemon 'charon' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
