The server serves only incoming VPN requests, it is for mobile road-
warriors. And the error does not occur right after starting a
strongswan or bringing tunnels up. So it makes no sense to run it with
auto=add or not.
Strongswan is serving clients ok. It is working for a long time until a
first DENIAL. It looks like it is somehow related to reauthentication of
xauth iOS client, but I can't reproduce it. Sometimes client can reauth
ok, as I can see at logs, but sometimes right after successful reauth I
see this error. There are about 5 active clients right now with 20-30
connections per/day, and server gives me an error once/twice per day. I
would not even note it, if it'd not break accounting at radius.
If ipsec runs at debug mode at console (--nofork) I don't get this
error.
$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
: RSA vpn.server.name.pem
vpn.server.name : PSK "simpletestpsk"
$ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=yes
# uniqueids = no
# default options
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
inactivity = 60s
dpdaction = clear
dpdtimeout = 5s
dpddelay = 5s
# Add connections here.
conn ikev1-psk-xauth
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid=@vpn.server.name
leftauth=psk
right=%any
rightsourceip=10.0.0.0/9
rightauth=psk
rightauth2=xauth-eap
auto=add
conn ikev2-with-eap
keyexchange=ikev2
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid="C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name,
E=ad...@server.name"
leftauth=pubkey
leftcert=vpn.server.name.pem
right=%any
rightsourceip=10.0.0.0/16
rightsendcert=never
rightauth=eap-radius
eap_identity=%identity
auto=add
$ sudo cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
}
include strongswan.d/*.conf
$ sudo cat /etc/strongswan.d/charon.conf | grep -v '^[[:space:]]*#'| grep .
charon {
crypto_test {
}
host_resolver {
}
leak_detective {
}
processor {
priority_threads {
}
}
tls {
}
x509 {
}
}
$ sudo cat /etc/strongswan.d/charon/xauth-eap.conf | grep -v '^[[:space:]]*#'|
grep .
xauth-eap {
backend = radius
load = yes
}
$ sudo cat /etc/strongswan.d/charon/eap-radius.conf | grep -v
'^[[:space:]]*#'| grep .
eap-radius {
accounting = yes
load = yes
port = 1812
secret = secret
server = 127.0.0.1
sockets = 1000
dae {
enable = yes
listen = 0.0.0.0
port = 3799
secret = dae_secret
}
forward {
}
servers {
}
xauth {
}
}
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1549436
Title:
AppArmor kills StronSwan daemon 'charon'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
