Hi Christian, Did as you said and restarted apparmor but for me is the same.
Connection is established but no traffic goes thru. root@vsrv-bicab-2u:/home/VPN# cat /etc/apparmor.d/usr.lib.ipsec.charon # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # Author: Jonathan Davies <[email protected]> # Ryan Harper <[email protected]> # # ------------------------------------------------------------------ #include <tunables/global> /usr/lib/ipsec/charon flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> #include <abstractions/openssl> #include <abstractions/p11-kit> capability ipc_lock, capability net_admin, capability net_raw, # allow priv dropping (LP: #1333655) capability chown, capability setgid, capability setuid, # libcharon-extra-plugins: xauth-pam capability audit_write, # libstrongswan-standard-plugins: agent capability dac_override, capability net_admin, capability net_raw, network, network raw, /bin/dash rmPUx, # libchron-extra-plugins: kernel-libipsec /dev/net/tun rw, /etc/ipsec.conf r, /etc/ipsec.secrets r, /etc/ipsec.*.secrets r, /etc/ipsec.d/ r, /etc/ipsec.d/** r, /etc/ipsec.d/crls/* rw, /etc/opensc/opensc.conf r, /etc/strongswan.conf r, /etc/strongswan.d/ r, /etc/strongswan.d/** r, /etc/tnc_config r, /proc/sys/net/core/xfrm_acq_expires w, /run/charon.* rw, /run/pcscd/pcscd.comm rw, /usr/lib/ipsec/charon rmix, /usr/lib/ipsec/imcvs/ r, /usr/lib/ipsec/imcvs/** rm, /usr/lib/*/opensc-pkcs11.so rm, /var/lib/strongswan/* r, @{PROC}/@{pid}/fd/ r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.ipsec.charon> } root@vsrv-bicab-2u:/home/VPN# date Thu Sep 27 15:28:13 UTC 2018 Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] IKE_SA l2tp-ikev2-rw-ah[1] established between 192.168.231.2[C=DE, O=KDLabs, CN=vpnclientAHL2TP@kdlabs]...192.168.231.1[192.168.231.1] Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] scheduling reauthentication in 9729s Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] maximum IKE_SA lifetime 10269s Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] adding DNS server failed Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] adding DNS server failed Sep 27 15:28:46 vsrv-bicab-2u charon: 12[CFG] handling INTERNAL_IP4_DNS attribute failed Sep 27 15:28:46 vsrv-bicab-2u kernel: [10627.234397] audit: type=1400 audit(1538062126.282:80): apparmor="DENIED" operation="unlink" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=4190 comm="charon" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 Sep 27 15:28:46 vsrv-bicab-2u kernel: [10627.234408] audit: type=1400 audit(1538062126.282:81): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/run/systemd/resolve/stub-resolv.conf" pid=4190 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=101 Sep 27 15:28:46 vsrv-bicab-2u kernel: [10627.234519] audit: type=1400 audit(1538062126.282:82): apparmor="DENIED" operation="unlink" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=4190 comm="charon" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 Sep 27 15:28:46 vsrv-bicab-2u kernel: [10627.234546] audit: type=1400 audit(1538062126.282:83): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/run/systemd/resolve/stub-resolv.conf" pid=4190 comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=101 Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] installing new virtual IP 192.168.219.5 Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] CHILD_SA l2tp-ikev2-rw-ah{1} established with SPIs c0607158_i c0806fbc_o and TS 192.168.219.4/30 === 192.168.219.0/30 Sep 27 15:28:46 vsrv-bicab-2u charon: 12[IKE] received AUTH_LIFETIME of 10160s, scheduling reauthentication in 9620s -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786250 Title: strongswan (charon) is rejected by apparmor to read /proc/<PID>/fd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
